b'                     United States Department of Justice\n                          Office of the Inspector General\n                                            Audit Division\n\n\n\n\n   Audit Report\n\n  Independent Evaluation\n      Pursuant to the\n  Government Information\n    Security Reform Act\n     Fiscal Year 2002\n\n The United States Marshals\nService\xe2\x80\x99s Warrant Information\n           Network\n\n\n\n\n     November 2002\n         03-03\n\x0c           INDEPENDENT EVALUATION PURSUANT TO THE\n         GOVERNMENT INFORMATION SECURITY REFORM ACT\n                      FISCAL YEAR 2002\n\n               THE UNITED STATES MARSHALS SERVICE\xe2\x80\x99S\n                  WARRANT INFORMATION NETWORK\n\n                  OFFICE OF THE INSPECTOR GENERAL\n                         EXECUTIVE SUMMARY\n\n       The mission of the United States Marshals Service (USMS) is to protect\nthe Federal courts and ensure the effective operation of the judicial system.\nSpecifically, the USMS is responsible for providing protection for the federal\njudiciary, transporting federal prisoners, protecting endangered federal\nwitnesses, and managing assets seized from criminal enterprises.\n\n       The Warrant Information Network (WIN) contains the warrant, court\nrecords, internal correspondence related to the warrant, and other\ninformation on individuals for whom federal warrants have been issued.\nWIN is used to track the status of all federal warrants to aid in the\ninvestigations of all federal fugitives. It is also used to access the National\nLaw Enforcement Telecommunication System (NLETS) and National Crime\nInformation Center (NCIC) systems to obtain criminal record information\nfrom other federal, state, local and foreign law enforcement agencies\nparticipating in or cooperating with USMS fugitive investigations and\napprehension efforts and to update the respective systems with new\nprisoner information.\n\n      WIN is accessed by both USMS district offices and headquarters users\nthrough the Marshal Network (MNET). MNET is the backbone unclassified\nnetwork for USMS operations. MNET is a sensitive but unclassified system\nthat provides office automation tools to USMS personnel in carrying out their\nworldwide mission. MNET is accessible from field sites and from certain\nother federal agencies and commercial organizations.\n\n     The Office of the Inspector General (OIG) was required by the\nGovernment Information Security Reform Act (GISRA) to perform an\nindependent evaluation of the United States Department of Justice\n(Department) information security program and practices. The OIG selected\nWIN as one of five sensitive but unclassified systems to review pursuant to\nGISRA for the fiscal year 2002. However, because of WIN\xe2\x80\x99s dependence on\nMNET, audit work was expanded to include MNET as well.\n\n\n\n\n                                      -i-\n\x0c       Under the direction of the OIG and in accordance with Government\nAuditing Standards, PricewaterhouseCoopers LLP (PwC) performed the\naudits of WIN and MNET. This report contains the audit results of the WIN\nand MNET systems. Separate reports will be issued for each of the other\nsystems evaluated pursuant to GISRA, including three systems that process\nclassified information.\n\n      The audit took place from June through July 2002 and consisted of\ninterviews, on-site observations, and reviews of Department and component\ndocumentation to assess WIN\xe2\x80\x99s and MNET\xe2\x80\x99s compliance with GISRA and\nrelated information security policies, procedures, standards, and guidelines.1\nWe2 used commercial-off-the-shelf and proprietary tools to conduct\nvulnerability tests and analysis of significant operating system integrity and\nsecurity controls.\n\n       The interviews were conducted using the questionnaire contained in\nthe National Institute of Standards and Technology (NIST) Special\nPublication (SP) 800-26, \xe2\x80\x9cSecurity Self-Assessment Guide for Information\nTechnology Systems.\xe2\x80\x9d This questionnaire contains specific control objectives\nand suggested techniques against which the security of a system or group of\ninterconnected systems can be measured. The questionnaire contains 17\nareas under 3 general controls (management, operational, and technical).\nThe areas contain 36 critical elements and 225 supporting security control\nobjectives and techniques (questions) about the system. The critical\nelements are derived primarily from the Office of Management and Budget\n(OMB) Circular A-130 and are integral to an effective information technology\n(IT) security program. The control objectives and techniques support the\ncritical elements. If a number of the control objectives and techniques are\nnot implemented, the critical elements have not been met.\n\n       The independent auditors assessed management, operational, and\ntechnical controls at a high risk to the protection of the WIN and MNET\nnetworks from unauthorized use, loss, or modification. Specifically, we\nidentified vulnerabilities in 16 of the 17 control areas as indicated in the\nchart below:\n\n\n\n\n1\n    In a September 1997 audit, report number 97-26, the OIG recommended that the Department\n    develop effective computer security program guidance. The Department then revised its policy and\n    released DOJ Order 2640.2D in July 2001, which was used in the analysis of this year\'s review.\n2\n    In this report, \xe2\x80\x9cwe\xe2\x80\x9d refers to either the OIG or to PwC working under the direction of the OIG.\n\n\n\n\n                                                   - ii -\n\x0c                                                                        VULNERABILITIES\n                          CONTROL AREAS3\n                                                                            NOTED\n       Management Controls\n       1. Risk Management\n       2. Review of Security Controls                                               \xe2\x88\x9a*\n       3. Life Cycle                                                                \xe2\x88\x9a*\n       4. Authorize Processing\n          (Certification and Accreditation)                                         \xe2\x88\x9a*\n       5. System Security Plan                                                      \xe2\x88\x9a*\n       Operational Controls\n       6. Personnel Security                                                        \xe2\x88\x9a*\n       7. Physical and Environmental Protection                                     \xe2\x88\x9a*\n       8. Production, Input/Output Controls                                         \xe2\x88\x9a*\n       9. Contingency Planning                                                      \xe2\x88\x9a*\n       10.Hardware and Systems Software Maintenance                                 \xe2\x88\x9a*\n       11.Data Integrity                                                            \xe2\x88\x9a*\n       12.Documentation                                                             \xe2\x88\x9a*\n       13.Security Awareness, Training, and Education                               \xe2\x88\x9a*\n       14.Incident Response Capability                                              \xe2\x88\x9a*\n       Technical Controls\n       15. Identification and Authentication                                        \xe2\x88\x9a*\n       16. Logical Access Controls                                                  \xe2\x88\x9a*\n       17. Audit Trails                                                             \xe2\x88\x9a*\n      Source: The OIG\xe2\x80\x99s FY 2002 GISRA audit of WIN and MNET.\n\n      \xe2\x88\x9a* Significant vulnerability in which risk was noted as high. A high-risk vulnerability is defined\n             as one where extremely grave circumstances can occur when a remote or local attacker\n             violates the security protection of a system through user or root account access, gaining\n             complete control of a system and compromising critical information.\n\n\n     As a result of the findings identified in this report, we are providing\nrecommendations for improving WIN and MNET systems to ensure that WIN\nand MNET management:\n\n         \xe2\x80\xa2    Enforce the USMS policies and procedures developed to identify,\n              track, correct, and maintain the corrected status of identified\n              vulnerabilities.\n\n         \xe2\x80\xa2    Ensure that a system development life cycle (SDLC) methodology is\n              documented when planning, implementing, or maintaining a major\n              application or general support system.\n\n3\n    Control Areas as described in the NIST SP 800-26 \xe2\x80\x9cSecurity Self-Assessment Guide      for Information\n    Technology Systems.\xe2\x80\x9d\n\n\n\n                                                   - iii -\n\x0c\xe2\x80\xa2   Rescind the certification and accreditation and place WIN and MNET\n    in an interim approval to operate (IATO) status pending the\n    completion, at a minimum, of the security test & evaluation,\n    contingency plan, and system security plan. Also, develop a\n    corrective action plan establishing a schedule and milestones to\n    complete the security test & evaluation, contingency plan and test,\n    and system security plan while maintaining the IATO for no longer\n    than six months.\n\n\xe2\x80\xa2   Modify WIN and MNET system security plans and USMS strategic\n    plan to include the "Planning for Security in the Life Cycle" section,\n    as described in NIST SP 800-18.\n\n\xe2\x80\xa2   Assign a group or person with the responsibility of addressing IT\n    security and analyzing those controls that are deemed critical by\n    USMS, to ensure MNET meets the requirements set forth in the\n    upcoming/current C&A process. Maintain documentation evidencing\n    the successful completion of each review and the corrective actions\n    taken to address all issues identified. Finally, if the security\n    controls surrounding MNET are not strengthened, MNET should be\n    removed from production until all critical functions are properly\n    secured.\n\n\xe2\x80\xa2   Establish procedures to ensure a separation of duties so that\n    individuals responsible for developing the system are not tasked\n    with either system or security administration.\n\n\xe2\x80\xa2   Implement Department\xe2\x80\x99s physical security controls as described in\n    DOJ Order 2640.2D policy.\n\n\xe2\x80\xa2   Review all world-writeable files and directories. For any files and\n    directories not needed for proper functioning of the system, the file\n    permission should not be world-writeable. Users\xe2\x80\x99 files and\n    directories permission settings should be set in a manner that is\n    necessary for the user to fulfill job responsibilities and no more.\n\n\xe2\x80\xa2   Ensure that USMS management: (a) defines \xe2\x80\x9cumask\xe2\x80\x9d settings so\n    that only the owner can view or modify files; (b) construct \xe2\x80\x9cpath\xe2\x80\x9d\n    variables so that no world-writeable directories are included in the\n    path; and (c) ensure that all directories are searched appropriately\n    in the \xe2\x80\x9cpath\xe2\x80\x9d variable.\n\n\n\n\n                                - iv -\n\x0c\xe2\x80\xa2   Implement documented procedures for help desk personnel to\n    follow when performing their daily responsibilities.\n\n\xe2\x80\xa2   Establish documented procedures to control how and when media\n    and other types of USMS data are transferred.\n\n\xe2\x80\xa2   Complete a contingency plan for MNET and its associated\n    applications and conduct a realistic test of the plan and adjust as\n    indicated by the results of the test. Once the test results have been\n    incorporated into the plan, obtain approval of the plan.\n\n\xe2\x80\xa2   Perform backups of the running configuration to the routers\xe2\x80\x99\n    onboard memory. All changes made to the configuration should be\n    immediately backed up on a separate device. Where appropriate,\n    use back up systems to ensure system availability. Cisco hardware\n    offers advanced backup capabilities in case of hardware or software\n    failure. Mission critical routers (typically core routers) may be good\n    candidates to take advantage of Cisco backup capabilities.\n\n\xe2\x80\xa2   Remove software not required for business-related functions.\n\n\xe2\x80\xa2   Develop policies and procedures on the use of virus detection\n    software and intrusion detection software and train individuals who\n    will be monitoring the system.\n\n\xe2\x80\xa2   Create a system-warning banner. The warning message should be\n    reviewed and approved by the USMS General Counsel.\n\n\xe2\x80\xa2   Develop policies and procedures for securing Cisco routers.\n\n\xe2\x80\xa2   Inquire with USMS General Counsel to determine which segments\n    of the proposed Rules of Behavior document are delaying its\n    approval, work with USMS General Counsel to establish a set of\n    rules, and require all users to read and sign the Rules of Behavior\n    document to ensure the users are aware of the contents.\n\n\xe2\x80\xa2   Define who in USMS is responsible for incident response.\n\n\xe2\x80\xa2   Enforce Department-wide identification and authentication policies\n    to ensure that only authorized personnel can login to the system.\n    Also, designate a system administrator to ensure accounts do not\n    remain inactive on the system and ensure active accounts are\n    appropriate.\n\n\n\n                                -v-\n\x0c      \xe2\x80\xa2   Enforce Department-wide password policies and procedures and\n          install security tools on all servers to enforce restrictions on\n          passwords.\n\n      \xe2\x80\xa2   Remove accounts that do not require access to a privileged group.\n\n      \xe2\x80\xa2   Develop, implement, and monitor policy establishing specific\n          security standards and settings for running vulnerable services and\n          server configurations.\n\n      \xe2\x80\xa2   Require sensitive WIN data be encrypted before it is transferred\n          across the network.\n\n      \xe2\x80\xa2   Create an appropriate access list for all routers, and set timeout\n          values for an unattended console.\n\n      \xe2\x80\xa2   Activate Cisco routers\xe2\x80\x99 transmission control protocol (TCP) intercept\n          mode and configure routers to allow logging of specific access lists.\n\n      \xe2\x80\xa2   Implement and document policies and procedures requiring the\n          latest security patches be obtained from the systems\xe2\x80\x99 vendor and\n          that the patches are properly installed and configured.\n\n      \xe2\x80\xa2   Develop, implement, and monitor documented policy for\n          establishing specific password standards for Windows NT servers\n          and ensure the policy is compliant with current Department policies.\n\n      \xe2\x80\xa2   Implement procedures to ensure that system log messages are\n          reviewed on a regular basis with system alerts being sent if\n          problems arise.\n\n       Because of the significant vulnerabilities noted in this report, it is\ncritical that the USMS take immediate corrective action on the above\nrecommendations. We identified significant vulnerabilities in all but one\ncontrol area. Specifically, we noted vulnerabilities in the following areas:\nreview of security controls, life cycle, authorized processing, system security\nplan, personnel security, physical and environmental security, production\nand input/output controls, contingency planning, hardware and systems\nsoftware maintenance, data integrity, documentation, security awareness,\nincident response capability, identification and authentication, logical access\ncontrols, and audit trails. We assessed these vulnerabilities as a high risk to\nthe protection of WIN and MNET systems from unauthorized use, loss, or\nmodification. If not corrected, certification and accreditation to operate the\n\n\n\n                                      - vi -\n\x0cWIN and MNET systems should be rescinded until all vulnerabilities are\ncorrected.\n\n      We concluded that these vulnerabilities occurred because WIN and\nMNET management did not fully develop, enforce, or formalize\nagency-wide policies in accordance with current Department policies and\nprocedures. Additionally, we believe the Department did not enforce its\nsecurity policies and procedures to ensure that WIN and MNET systems were\nprotected from unauthorized use, loss, or modification through the\nDepartment\xe2\x80\x99s certification and accreditation process. Furthermore, we\nbelieve many of the vulnerabilities identified during this audit could have\nbeen prevented if WIN and MNET management had followed-up on\ncorrective actions for similar vulnerabilities identified in previous years.\n\n\n\n\n                                   - vii -\n\x0c                                    TABLE OF CONTENTS\n                                                                                               Page\n\nOBJECTIVE, SCOPE, AND METHODOLOGY.................................................. 1\n\nWARRANT INFORMATION NETWORK (WIN)\nAND MARSHAL NETWORK (MNET) ENVIRONMENT....................................... 2\n\nSUMMARY RESULTS OF THE AUDIT........................................................... 3\n\nFINDINGS AND RECOMMENDATIONS ........................................................ 4\n\nI.   Management Controls........................................................................ 4\n        A. Review of Security Controls ..................................................... 4\n        B. Life Cycle .............................................................................. 6\n        C. Authorize Processing (Certification and Accreditation) ................. 7\n        D. System Security Plan ............................................................. 9\n\nII. Operational Controls........................................................................     11\n        A. Personnel Security ...............................................................        11\n        B. Physical and Environmental Protection ....................................                13\n        C. Production and Input/Output Controls.....................................                 16\n        D. Contingency........................................................................       18\n        E. Hardware and System Software Maintanence...........................                       20\n        F. Data Integrity .....................................................................      21\n        G. Documentation....................................................................         23\n        H. Security Awareness, Training, and Education ...........................                   24\n        I. Incident Response Capability .................................................            26\n\nIII. Technical Controls...........................................................................   27\n         A. Identification and Authentication ............................................           27\n         B. Logical Access Controls .........................................................        33\n         C. Audit Trails .........................................................................   43\n\nCONCLUSION ...................................................................................... 44\n\nAPPENDIX I -        NATIONAL INSTITUTE OF STANDARDS AND\n                    TECHNOLOGY GENERAL AREAS OF CONTROL..................... 45\n\nAPPENDIX II - UNITED STATES MARSHALS RESPONSE TO THE OIG DRAFT\n              REPORT ........................................................................ 51\n\nAPPENDIX III - OIG, AUDIT DIVISION, ANALYSIS AND SUMMARY\n               OF ACTIONS NECESSARY TO CLOSE THE REPORT............... 58\n\x0c                OBJECTIVE, SCOPE, AND METHODOLOGY\n\n      The fiscal year (FY) 2001 Defense Authorization Act (Public Law 106-\n398) includes Title X, subtitle G, \xe2\x80\x9cGovernment Information Security Reform\nAct\xe2\x80\x9d (GISRA). GISRA became effective on November 29, 2000, and amends\nthe Paperwork Reduction Act of 1995 by enacting a new subchapter on\n"Information Security." It requires federal agencies to:\n\n  \xe2\x80\xa2   Have an annual independent evaluation of their information security\n      and practices performed.\n  \xe2\x80\xa2   Ensure information security policies are founded on a continuous risk\n      management cycle.\n  \xe2\x80\xa2   Implement controls that appropriately assess information security\n      risks.\n  \xe2\x80\xa2   Promote continuing awareness of information security risks.\n  \xe2\x80\xa2   Continually monitor and evaluate information security policies.\n  \xe2\x80\xa2   Control effectiveness of information security practices.\n  \xe2\x80\xa2   Provide a risk assessment and report on the security needs of the\n      agencies\xe2\x80\x99 systems, and include the report in their budget request to\n      the Office of Management and Budget (OMB).\n\n      The objective of the audit was to determine the U.S. Department of\nJustice\xe2\x80\x99s (Department) compliance with the requirements of GISRA. The\nUnited States Marshals Service\xe2\x80\x99s (USMS) Warrant Information Network\n(WIN) was selected as one of the subset of systems to be tested to\ndetermine the effectiveness of the Department\xe2\x80\x99s overall security program for\nFY 2002. WIN is accessed by both USMS district offices and headquarters\nusers through the Marshal Network (MNET). Because of WIN\xe2\x80\x99s dependence\non MNET, audit work was expanded to include MNET.\n\n       Under the direction of the Office of the Inspector General (OIG), and\nin accordance with Government Auditing Standards, PricewaterhouseCoopers\nLLP (PwC) performed the audit of WIN and MNET systems. In determining if\nthe Department is compliant with GISRA requirements, PwC assessed\nwhether adequate computer security controls existed to protect WIN and\nMNET systems from unauthorized use, loss, or modification.\n\n      The audit took place from June through July 2002. In this audit, we\nmet with USMS officials from the Information Technology Services staff. We\nalso met with representatives from the Department\xe2\x80\x99s Justice Management\nDivision and the Chief Information Officer. We reviewed documentation that\nincluded the USMS\xe2\x80\x99s IT documents, organizational structures, OMB GISRA\nreporting information, and prior OIG reports to assess the WIN network\xe2\x80\x99s\n\n\n                                    -1-\n\x0ccompliance with GISRA and related information security policies, procedures,\nstandards, and guidelines. We performed test work at the USMS\nheadquarters in Arlington, Virginia.\n\n      The interviews were conducted using the questionnaire contained in\nthe National Institute of Standards and Technology (NIST) Special\nPublication (SP) 800-26, \xe2\x80\x9cSecurity Self-Assessment Guide for Information\nTechnology Systems.\xe2\x80\x9d This questionnaire contains specific control objectives\nand suggested techniques against which the security of a system or group of\ninterconnected systems can be measured. The questionnaire contains 17\nareas under 3 general controls (management, operational, and technical).\nThe areas contain 36 critical elements and 225 supporting security control\nobjectives and techniques (questions) about the system. The critical\nelements are derived primarily from OMB Circular A-130 and are integral to\nan effective information technology (IT) security program. The control\nobjectives and techniques support the critical elements. If a number of the\ncontrol objectives and techniques are not implemented, the critical elements\nhave not been met.\n\n      The audit approach was based on the General Accounting Office\xe2\x80\x99s\nFederal Information System Controls Audit Manual, the Chief Information\nOfficer Council Framework, OMB Circular A-130, and guidance established by\nNIST. These authorities prescribe a review that evaluates the adequacy of\nmanagement, operational, technical controls over control areas listed in\nAppendix I.\n\nWIN AND MNET ENVIRONMENT\n\n      WIN contains the warrant, court records, internal correspondence\nrelated to the warrant, and other information on individuals for whom federal\nwarrants have been issued. WIN is used to track the status of all federal\nwarrants to aid in the investigations of all federal fugitives. It is also used to\naccess the National Law Enforcement Telecommunication System (NLETS)\nand National Crime Information Center (NCIC) systems to obtain criminal\nrecord information from other federal, state, local and foreign law\nenforcement agencies participating in or cooperating with USMS fugitive\ninvestigations and apprehension efforts and to update the respective\nsystems with new prisoner information.\n\n       WIN is accessed by both district offices and headquarters users\nthrough MNET, the backbone unclassified network for USMS operations.\nMNET is a sensitive but unclassified system that provides office automation\ntools to USMS personnel in carrying out their worldwide, mission-related\n\n\n                                      -2-\n\x0cfunctions. MNET is accessible from field sites and from certain other federal\nagencies and commercial organizations.\n\nSUMMARY RESULTS OF THE AUDIT\n\n      We tested to determine whether adequate computer security controls\nexisted to protect WIN and MNET from unauthorized use, loss, or\nmodification. Our testing consisted of assessing management, operational,\nand technical controls for 17 critical areas for WIN and MNET. Our testing\ndisclosed vulnerabilities within 16 of the 17 areas. These vulnerabilities\nwere identified as high risks to the protection of WIN and MNET. If not\ncorrected, these security vulnerabilities threaten WIN\xe2\x80\x99s and MNET\xe2\x80\x99s data with\nthe potential for unauthorized use, loss, or modification.\n\n      We concluded that these vulnerabilities occurred because WIN and\nMNET management did not fully develop, enforce, or formalize agency-wide\npolicy in accordance with current Department policies and procedures.\nAdditionally, we believe the Department did not enforce its security policies\nand procedures to ensure WIN and MNET were protected from unauthorized\nuse, loss, or modification through its certification and accreditation process.\nFurthermore, we believe many of the vulnerabilities identified during this\naudit could have been prevented if USMS management had followed-up on\ncorrective actions for similar vulnerabilities identified in previous years.\n\n\n\n\n                                     -3-\n\x0c                          FINDINGS AND RECOMMENDATIONS\n\n       Our review disclosed that security controls need improvement to fully\nprotect WIN and MNET from unauthorized use, loss, or modification. We\nfound security vulnerabilities in all but one critical control area. Specifically,\nvulnerabilities were identified in the following areas: review of security\ncontrols; life cycle; authorize processing; system security plan; personnel\nsecurity; physical and environmental protection; production and\ninput/output controls; contingency planning; hardware and software\nmaintenance; data integrity; documentation; security awareness, training\nand education; incident response capability; identification and\nauthentication; logical access controls; and audit trails. The vulnerabilities\nidentified in this report occurred because USMS management did not fully\ndevelop, enforce, or formalize agency-wide policy in accordance with current\nDepartment policies and procedures. Additionally, the Department did not\nenforce its security policies and procedures to ensure that WIN and MNET\nhad been fully secured through its certification and accreditation process.\n\nI.        Management controls. Management controls are techniques and\n          concerns that are normally addressed by management in the\n          organization\'s computer security program. In general, they focus on\n          the management of the computer security program and the\n          management of risk within the organization.\n\n                                                                             Vulnerabilities\n                      Management Controls\n                                                                                 Noted\n         Risk Management\n         Review of Security Controls                                                  \xe2\x88\x9a*\n         Life Cycle                                                                   \xe2\x88\x9a*\n         Authorize Processing (Certification and Accreditation)                       \xe2\x88\x9a*\n         System Security Plan                                                         \xe2\x88\x9a*\n     \xe2\x88\x9a* Significant vulnerability in which risk was noted as high. A high-risk vulnerability is defined\n          as one where extremely grave circumstances can occur when a remote or local attacker\n          violates the security protection of a system through user or root account access, gaining\n          complete control of a system and compromising critical information.\n\n\n      As a result of testing management controls, we confirmed that controls\nwere adequate for WIN and MNET risk management. However, significant\nvulnerabilities were identified within the following management control\nareas:\n\nA. Review of Security Controls. Routine evaluations and corrective\n   actions on previously identified vulnerabilities are important elements of\n   managing system risk. When significant weaknesses are identified, the\n\n                                                   -4-\n\x0crelated risks should be reassessed, appropriate corrective actions taken,\nand follow-up monitoring performed to assure that corrective actions are\neffective.\n\nIssue: Inappropriate Security Controls\n\nCondition:\n\nIndependent reviews are only conducted once every three years. USMS\ndoes not conduct independent reviews when significant system changes\nor upgrades are implemented and completed. Additionally, weaknesses\nidentified in prior reports, such as: \xe2\x80\x9cIndependent Auditor\'s Report on\nInternal Control, Security Test & Evaluation Report,\xe2\x80\x9d and\n\xe2\x80\x9cPricewaterhouseCoopers Penetration Testing Report\xe2\x80\x9d were still present\nat the time of our audit.\n\nCause:\n\nUSMS has ineffective procedures for identifying, tracking, and correcting\nweaknesses. Additionally, we found that USMS has an inadequate\nnumber of trained IT security personnel on its team to identify and\ncorrect weaknesses in a timely manner.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 1 Section 11(b), Configuration Management,\nstates: \xe2\x80\x9cComponents shall\xe2\x80\xa6Document and test all changes before\nmodifying the accredited system and/or application so that new\nvulnerabilities are not introduced into the operational environment.\xe2\x80\x9d\n\nDOJ Order 2640.2D Chapter 1 Part 2, Section 7(e), Certification and\nAccreditation, states:\n\n"The DAA shall:\n\n\xe2\x80\xa2   Evaluate the certification findings and assess vulnerabilities and\n    residual risks.\n\n\xe2\x80\xa2   Approve corrective action and ensure its implementation."\n\nRisk:\n\nWithout prompt management action to identify and correct weaknesses,\nWIN and MNET systems remain vulnerable.\n\n                                 -5-\n\x0c     Recommendation:\n\n        1. We recommend that the Director, USMS:\n             a. Conduct independent reviews when significant system\n                changes or upgrades are implemented and completed.\n\n                 b. Enhance and enforce USMS policies and procedures for\n                    identifying, tracking, and correcting vulnerabilities.\n                    Additionally, maintain a status report on corrective actions\n                    performed.\n\n                 c. Increase the number of trained IT security personnel in\n                    order to identify and correct system weaknesses in a\n                    timely manner.\n\nB.   Life Cycle. Like other aspects of an IT system, security is best\n     managed if planned for the entire IT system life cycle. There are many\n     models for the IT system life cycle, but most contain five basic phases:\n     initiation, development/acquisition, implementation, operation, and\n     disposal. Assessing a system\xe2\x80\x99s life cycle involves determining whether\n     the following critical items are established: a system development life\n     cycle methodology and system change controls that track a program\xe2\x80\x99s\n     progress through testing to final approval.\n\n     Issue: Inadequate Systems Development\n\n     Condition:\n\n     The USMS currently does not have a documented and approved system\n     development life cycle (SDLC) for WIN and MNET systems.\n\n     Cause:\n\n     USMS management is not committed to providing adequate resources to\n     establish a formal documented methodology that describes how USMS\n     personnel should develop, implement, and maintain systems.\n\n     Criteria:\n\n     DOJ Order 2640.2D Chapter 1, Part 6, Information Technology Security\n     Life Cycle, states: "Components shall develop and implement a risk-\n     based security process to provide security throughout the life cycle of all\n     systems supporting their operations and assets."\n\n\n                                       -6-\n\x0c    Risk:\n\n    The absence of a documented and approved SDLC can lead to numerous\n    complications in the development process that can cause system\n    failures, system vulnerabilities and increases in project cost. In\n    addition, inadequate software testing and planning can allow the system\n    to enter production with major system flaws while also causing the\n    project to go over budget.\n\n    Recommendation:\n\n        2. We recommend that the Director, USMS, ensure that a\n           documented and approved SDLC methodology is applied when\n           planning, implementing, or maintaining a major applications or\n           general support systems.\n\nC. Authorize Processing (Certification and Accreditation). Authorize\n   processing provides a form of assurance of the security of the system.\n   Computer security assurance is the degree of confidence one has that\n   the security measures, both technical and operational, work as intended\n   to protect the system and the information it processes. Certification is a\n   formal process for testing components or systems against a specified set\n   of security requirements while accreditation is a management official\'s\n   formal acceptance of the adequacy of a system\'s security. Computer\n   security accreditation forces managers and technical staff to work\n   together to find workable, cost-effective solutions given security needs,\n   technical constraints, operational constraints, and mission or business\n   requirements.\n\n   Issue: Inadequate Documentation to Support Certification and\n   Accreditation\n\n   Condition:\n\n   Several significant documents that support the certification and\n   accreditation (C&A) of WIN and MNET systems are not complete. These\n   documents include the systems\xe2\x80\x99 contingency plan, security test and\n   evaluation (ST&E), and security plan. Therefore, the C&A requirements\n   are not adequately fulfilled.\n\n\n\n\n                                    -7-\n\x0cCause:\n\nAccording to USMS, there is an inadequate level of USMS resources\n(e.g., financial, human) to create these documents. As a result, the\nUSMS individuals responsible for system accreditation are willing to\naccept high levels of risk.\n\nCriteria:\n\nDOJ Order 2640.D Chapter 1 Section 7, Certification and Accreditation,\n\xe2\x80\x9cComponents shall ensure the certification and accreditation of all\nsystems under their operational control.\n\n  a. All systems shall be certified and accredited prior to being placed\n     into operation. Therefore, until an IT system is certified and\n     accredited, no operational data can be used for any purpose,\n     including testing in pilot systems if live data is used or if the pilot\n     system is connected to a department network.\n\n  b. Each component shall designate a Certification Official for each\n     system.\n\n  c. For each classified and sensitive but unclassified (SBU) system the\n     Certification Official shall:\n\n     (1)    Ensure a system security plan is prepared and maintained\n            throughout the system life cycle.\n     (2)    Ensure a risk analysis is performed to identify security risks,\n            determine their magnitude, and identify areas needing\n            safeguards.\n     (3)    Ensure a system test and evaluation is conducted and the\n            results of such tests are documented.\n     (4)    Ensure Rules of Behavior and security procedures/guides are\n            developed.\n     (5)    Ensure a contingency plan is prepared and tested.\n     (6)    Prepare the summary of compliance with the security\n            requirements and the statement of residual risk.\n     (7)    Prepare a security evaluation report on the status of the\n            certification and recommend to the Designated Approving\n            Authority (DAA) whether or not to accredit the system based\n            on documented residual risks.\n\n\n\n\n                                   -8-\n\x0c           (8)   Prepare the accreditation grant for the DAA\'s signature.\n           (9)   Submit the certification and accreditation package for\n                 classified systems to the Security and Emergency Planning\n                 Staff, JMD, and for SBU systems to the Information\n                 Management and Security Office (IMSO), JMD, for\n                 independent verification and validation.\xe2\x80\x9d\n\n   Risk:\n\n   Allowing the system to be certified and accredited without adequate\n   documentation of the risks of the system, system contingency plan, and\n   security controls and with vulnerabilities present within the system\n   increases the likelihood that the true security state of the system will be\n   misconstrued and misrepresented.\n\n   Recommendation:\n\n        3. We recommend that the Director, USMS:\n\n                 a. Rescind the C&A and place WIN and MNET systems in an\n                    IATO status for no longer than six months while\n                    completing, at a minimum, the systems\xe2\x80\x99 ST&E,\n                    contingency plan, and security plan.\n\n                 b. Develop a corrective action plan establishing a schedule\n                    and milestones to complete the ST&E, contingency plan\n                    (including test of the contingency plan), and security plan\n                    within the six-month IATO period.\n\nD. System Security Plans. A system security plan provides an overview\n   of the security requirements of the system and describe the controls in\n   place or planned for meeting those requirements. The plan delineates\n   responsibilities and expected behavior of all individuals who access the\n   system.\n\n   Issue: Inadequate System Security Plan\n\n   Condition:\n\n   We found the security plan for WIN and MNET systems to be inadequate.\n   The previously approved security plan for MNET does not include the\n   security plan for WIN. Additionally, the MNET security plan is outdated\n   because the system\xe2\x80\x99s interim authority has expired and the security plan\n\n                                      -9-\n\x0cno longer meets the requirements set forth in that authority.\nFurthermore, USMS has no current strategic plan or similar document\nthat discusses security plans at the component level.\n\nCause:\n\nWe found that USMS management is not committed to providing\nadequate resources to establish a formal security position that focuses\non USMS security and is accountable for security plans. Additionally, the\nUSMS security team has an inadequate number of trained security\npersonnel to address corrective actions in a timely manner.\n\nCriteria:\n\nNIST SP 800-18, Guide for Developing Security Plans for Information\nTechnology Systems, requires that all security plans for major systems\nor general support systems contain a section describing "Planning for\nSecurity in the Life Cycle.\xe2\x80\x9d\n\nFurther, the system is governed by a condition in the MNET Accreditation\nStatement that states: "Based on my authority and judgment, and\nweighing the residual risks against operational requirements, I [the\nDesignated Approving Authority (USMS\xe2\x80\x99s CIO)] authorize the interim\noperation of the USMS MNET Headquarters for six months to provide an\nopportunity for satisfactory resolution of the issues delineated in the\nSSAA [System Security Authorization Agreement] Appendix H. When\nthese issues have been satisfactorily resolved, the USMS MNET\nHeadquarters will be granted a full accreditation."\n\nRisk:\n\nFailing to mitigate risks identified during a C&A process that resulted in\n"an interim approval to operate,\xe2\x80\x9d could potentially require the system to\nbe taken out of production.\n\nRecommendation:\n\n     4. We recommend that the Director, USMS, ensure that USMS\n        management:\n\n            a. Modify the WIN system security plan, USMS strategic plan,\n               to include the "Planning for Security in the Life Cycle"\n               section, as described in NIST SP 800-18.\n\n\n                                 - 10 -\n\x0c                   b. Assign a group (or person) with the responsibility for\n                      correcting security vulnerabilities and analyzing those\n                      controls that are deemed critical by USMS to ensure WIN\n                      and MNET systems meet the requirements set forth in the\n                      upcoming/current C&A process and documenting all actions\n                      taken. Finally, if the security controls surrounding WIN and\n                      MNET are not strengthened, remove WIN and MNET from\n                      production until all critical functions are adequately secured.\n\nII.      Operational Controls. Operational controls address security controls\n         that are implemented and executed by people. These controls are put\n         in place to improve the security of a particular system. They often\n         require technical or specialized expertise and rely upon management\n         activities as well as technical controls.\n\n                                                                           Vulnerabilities\n                     Operational Controls\n                                                                               Noted\n        Personnel Security                                                          \xe2\x88\x9a*\n        Physical and Environmental Protection                                       \xe2\x88\x9a*\n        Production, Input/Output Controls                                           \xe2\x88\x9a*\n        Contingency Planning                                                        \xe2\x88\x9a*\n        Hardware and Systems Software Maintenance                                   \xe2\x88\x9a*\n        Data Integrity                                                              \xe2\x88\x9a*\n        Documentation                                                               \xe2\x88\x9a*\n        Security Awareness, Training, and Education                                 \xe2\x88\x9a*\n        Incident Response Capability                                                \xe2\x88\x9a*\n      \xe2\x88\x9a* Significant vulnerability in which risk was noted as high. A high-risk vulnerability is defined\n           as one where extremely grave circumstances can occur when a remote or local attacker\n           violates the security protection of a system through user or root account access, gaining\n           complete control of a system and compromising critical information.\n\n\n       Our testing identified vulnerabilities within all nine critical areas of\noperational controls. The specific details of the identified vulnerabilities are\nlisted below.\n\nA. Personnel Security. Many important issues in computer security\n   involve human users, designers, implementers, and managers. A broad\n   range of security issues relates to how these individuals interact with\n   computers and the access and authorities they need to do their jobs.\n\n\n\n\n                                                 - 11 -\n\x0cIssue: Inadequate Separation of Duties\n\nCondition:\n\nWIN system security administration responsibilities are not adequately\nseparated to ensure least privilege and individual accountability. The\nsame individual is responsible for WIN application development, system\nadministration, and system security.\n\nCause:\n\nAccording to the USMS, there is an inadequate number of trained IT\nsecurity personnel on the USMS security team to assume IT security\nadministration responsibilities.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2, Section 18 (l)(a) and (c), states:\n\xe2\x80\x9cDepartment IT systems shall have assignment and segregation of\nsystem responsibilities defined and documented\xe2\x80\xa6At a minimum, there\nshall be a clearly defined role for a security administrator and a system\nadministrator.\xe2\x80\x9d Additionally, \xe2\x80\x9cControls [compliant with Department\naccess control policies] shall be in place to ensure that the user [and\nadministrators] has access to only the resources required to accomplish\ntheir duties and no more.\xe2\x80\x9d\n\nRisk:\n\nAssigning the same individual to be responsible for development, system\nadministration, and security administration grants a single individual the\nability to change critical resources without authorization or detection.\nAdditionally, this condition could potentially allow practices inconsistent\nwith management intentions, requirements, acceptable security\nstandards, and for segregation of duties to be compromised; thus,\ncreating unnecessary risk.\n\nRecommendation:\n\n     5. We recommend that the Director, USMS, establish procedures to\n        ensure a separation of duties between individuals responsible for\n        developing the system and those responsible for system or\n        security administration.\n\n\n\n                                - 12 -\n\x0cB. Physical and Environmental Protection. Physical security and\n   environmental security are the measures taken to protect systems,\n   buildings, and related supporting infrastructures against threats\n   associated with their physical environment.\n\n   Issue: Inadequate Physical and Environmental Controls\n\n   Condition:\n\n   We found that physical and environmental controls surrounding the\n   USMS computer room and building are inadequate. Backup tape rotation\n   procedures, emergency exit and re-entry procedures, and fire and flood\n   related controls are also inadequate. In addition, visitor access is not\n   documented.\n\n   Cause:\n\n   This occurred because USMS management was not enforcing proper\n   physical security.\n\n   Criteria:\n\n   DOJ Order 2640.2D, states: "Department IT systems shall be physically\n   protected commensurate with the highest classification or sensitivity of\n   the information. Department IT systems shall be environmentally\n   protected, and the means for providing this protection shall be\n   documented. Facilities supporting large scale IT operations, such as\n   enterprise servers and telecommunication facilities, require consideration\n   of additional environmental and physical controls as determined by a risk\n   analysis."\n\n   Risk:\n\n   Insufficient physical and environmental controls can lead directly to\n   major security incidents, such as theft and/or destruction, or to damage\n   from accidental, natural or terrorist causes.\n\n\n\n\n                                   - 13 -\n\x0cRecommendation:\n\n    6. We recommend that the Director, USMS, implement\n       Department\xe2\x80\x99s physical security controls as described in DOJ\n       Order 2640.2D.\n\nIssue: World-Writeable Files\n\nCondition:\n\nWe found two UNIX servers had 45,136 world-writeable files and\ndirectories including two files that are critical to system operation. Files\nand directories that are world-writeable allow any user on the system the\nability to modify or delete their contents.\n\nCause:\n\nMany of the world-writeable files and directories appeared to exist due to\nimproper configuration of WIN on the part of USMS management.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, Access Control, states:\n"Enable the use of resources such as data and programs necessary to\nfulfill job responsibilities and no more."\n\nRisk:\n\nImproper configuration of home files directories could potentially allow a\nuser to obtain the level of access of another identity on the server. If\nthe compromise is business-critical, then this vulnerability is high-risk\nand could be exploited to gain privileged access on the server.\n\nRecommendation:\n\n    7. We recommend that the Director, USMS, ensure that USMS\n       management review all world-writeable files and directories. For\n       any files and directories not needed for proper functioning of the\n       system, the file permission should not be world-writeable.\n       Users\xe2\x80\x99 files and directories permission settings should be set in a\n       manner that is necessary for the user to fulfill job responsibilities\n       and no more.\n\n\n                                 - 14 -\n\x0cIssue: User Parameter Settings\n\nCondition:\n\nWe found 16 files on 2 UNIX servers that contained improperly set\n\xe2\x80\x9cumask\xe2\x80\x9d values and 27 files on 2 UNIX servers that had insecure \xe2\x80\x9cpath\xe2\x80\x9d\nvariables. The "umask" variable is used for default file-creation\npermissions. Unsafe "umask" settings allow users, other than the owner\nof the file, read and or write permissions to files. This increases the risk\nthat unauthorized users view, delete, or modify sensitive or proprietary\ninformation.\n\nCause:\n\nThese conditions appear to exist due to the USMS\xe2\x80\x99s improper\nconfiguration of the \xe2\x80\x9cpath\xe2\x80\x9d variables and \xe2\x80\x9cumask\xe2\x80\x9d values.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16 (a) and (f), Access Control,\nstates that the system must: \xe2\x80\x9cEnable the use of resources such as data\nand programs necessary to fulfill job responsibilities and no more\n\xe2\x80\xa6Protect the system, its data and applications, from unauthorized\ndisclosure, modification, or erasure."\n\nRisk:\n\nInsecure PATH variables increase the risk that users will be deceived by\ncommon system commands such as list files, which are executed instead\nof the system list files. For example, an unauthorized user could write a\nprogram that performs certain functions and call the program list files.\nWhen an authorized user invokes the list files command, the bogus list\nfiles program would be executed.\n\nRecommendation:\n\n     8. We recommend that the Director, USMS, ensure that USMS\n        management:\n\n         a. Define the \xe2\x80\x9cumask\xe2\x80\x9d settings so that only the owner can view\n            or modify files.\n\n\n\n\n                                 - 15 -\n\x0c            b. Construct \xe2\x80\x9cpath\xe2\x80\x9d variables so that no world-writeable\n               directories are included in the path.\n\n            c. Ensure that all directories are searched appropriately in the\n               \xe2\x80\x9cpath\xe2\x80\x9d variable.\n\nC. Production and Input/Output Controls. There are many aspects to\n   IT operations support. Topics range from a user help desk to procedures\n   for storing, handling, and destroying media.\n\n   Issue: Help Desk Policies and Procedures Do Not Exist\n\n   Condition:\n\n   A system help desk is designed to offer advice and respond to system\n   security incidents in a timely manner, and assist users with the operation\n   of the system and applications (including the re-setting of user\n   passwords). At the time of our audit, USMS did not implement adequate\n   security controls pertaining to its help desk operation. Specifically, we\n   noted that USMS do not have documented procedures for help desk\n   personnel to follow when assisting WIN and MNET users. Additionally, no\n   controls exist to ensure that users\xe2\x80\x99 account passwords are properly reset\n   when accounts are locked, or when users forget their passwords.\n\n   Cause:\n\n   According to USMS personnel, the shortage of personnel on the USMS IT\n   security team has resulted in an inability to handle the associated\n   responsibilities and daily tasks required to maintain a secure computing\n   environment and help desk operations that are compliant with\n   Department policy.\n\n   Criteria:\n\n   NIST SP 800.18, Section 5.MA.3, states: "...provide a synopsis of the\n   procedures in place that support the operations of the application such\n   as using questions like, \xe2\x80\x98Is there a help desk or group that offers advice\n   and can respond to security incidents in a timely manner? Are there\n   procedures in place documenting how to recognize, handle, and report\n   incidents and/or problems...\xe2\x80\x99"\n\n\n\n\n                                    - 16 -\n\x0cRisk:\n\nWithout documented help desk policies and procedures, unauthorized\nindividuals could potentially exploit the help desk by fraudulently\npresenting themselves as an authorized user, which could allow them to\nchange passwords and obtain unauthorized access. Unauthorized\nindividuals could potentially gain access to sensitive USMS data, allowing\nthem to make personal gains based on the type of data.\n\n\nRecommendation:\n\n    9. We recommend that the Director, USMS, ensure that USMS\n       management implement documented procedures for help desk\n       personnel to follow when performing their daily responsibilities.\n\nIssue: Media Controls\n\nCondition:\n\nNo documented process has been established to ensure only authorized\nindividuals can pick up, receive, or deliver input/output information and\nmedia. In addition, no formal process has been established to ensure\nadequate audit trails are maintained for inventory management of such\nmedia.\n\nCause:\n\nAccording to USMS personnel there are inadequate numbers of trained\nsecurity personnel on the USMS security team to handle the associated\nresponsibilities.\n\nCriteria:\n\nUSMS Manual Section 9.2-2, Limited Official Use Information,\nstates: "Limited Official Use (LOU) information used by USMS must\nbe maintained, distributed, secured and disposed of in a manner\nthat will protect the information against unauthorized disclosure.\nThis section sets forth the requirements for safeguarding\nunclassified but sensitive information."\n\n\n\n\n                                - 17 -\n\x0cDOJ Order 2640.2D Section 19, Accountability and Audit Trails,\nstates: \xe2\x80\x9c\xe2\x80\xa6Maintain an audit trail of activity sufficient to reconstruct\nsecurity relevant events.\xe2\x80\x9d\n\nRisk:\n\nWithout documented procedures for media security controls,\nunauthorized individuals could potentially obtain access to sensitive\nUSMS data. This condition could potentially allow practices inconsistent\nwith management intentions, requirements, and acceptable security\nstandards.\n\nRecommendation:\n\n   10. We recommend that the Director, USMS, establish documented\n       procedures to control how and when media and other types of\n       USMS data are transferred. An audit trail should also be\n       maintained to evidence such events.\n\nD. Contingency Planning. Contingency planning ensures continued\noperations by minimizing the risk of events that could disrupt normal\noperations and having an approach in place to respond to those events\nshould they occur.\n\nIssue: No Documented Contingency Plan Exists\n\nCondition:\n\nContingency plans were not documented or tested for the MNET and WIN\nsystems.\n\nCause:\n\nAccording to USMS, there is a shortage of trained security personnel on\nthe USMS security team resulting in the inability to develop a\ncontingency plan.\n\nCriteria:\n\nSection 9.4-10 Contingency Planning, of the USMS Manual states,\n"Contingency planning is required to ensure continuity of ADP operations\nto the greatest degree possible of data processed or stored by the ADP\n\n\n                                  - 18 -\n\x0c   systems. Contingency plans will be generated for each ADP facility and\n   will be submitted to the Computer Systems Program Manager for review\n   and approval upon generation. Approved contingency plans will be\n   tested by personnel from each ADP facility at least once annually to\n   ensure adequacy of scope and operation. Any deficiencies noted by the\n   test will result in a revision to the contingency plan and resubmission to\n   the Computer Systems Program Manager."\n\n   Risk:\n\n   Without a comprehensive, tested contingency plan, USMS management\n   cannot be assured of the ability to restore critical systems in a timely\n   fashion following a disaster or significant service interruption.\n\n   Recommendation:\n\n      11. We recommend that the Director, USMS, ensure that USMS\n          management complete a contingency plan for MNET and its\n          associated applications and conduct a realistic test of the plan\n          and adjust as indicated by the results of the test. Once the test\n          results have been incorporated into the plan, obtain approval of\n          the plan.\n\nIssue: Cisco Router Fault Tolerance is Inadequate\n\n   Condition:\n\n   We found fault tolerance controls are inadequate on the Cisco router.\n   Backup configuration files are stored inadequately and the Cisco router\n   does not take advantage of backup capabilities.\n\n   Cause:\n\n   According to USMS personnel, these conditions are due to lack of\n   additional hardware for fault tolerance purposes.\n\n   Criteria:\n\n   DOJ Order 2640.2D Chapter 2, Security Program Management\n   Contingency Planning/Business Resumption Planning, states:\n   "Components shall plan for how they will perform their missions in the\n   event their IT systems are unavailable and how they will recover these\n   IT systems in the event of loss or failure."\n\n\n                                   - 19 -\n\x0c   Risk:\n\n   If the running configuration becomes corrupt, the router will boot with\n   the startup configuration stored in its memory. It is essential that\n   configuration is kept up-to-date.\n\nRecommendation:\n\n     12. We recommend that the Director, USMS, ensure that USMS\n         management performs backups of the running configuration to the\n         routers\xe2\x80\x99 onboard memory. All changes made to the configuration\n         should be immediately backed up on a separate device. Where\n         appropriate, use backup systems to ensure system availability.\n         Cisco hardware offers advanced backup capabilities in case of\n         hardware or software failure. Mission critical routers (typically core\n         routers) may be good candidates to take advantage of the Cisco\n         backup capabilities.\n\nE. Hardware & Software Maintenance. These are controls used to\n   monitor the installation of, and updates to, hardware and software to\n   ensure that the system functions as expected and that a historical record\n   is maintained of changes.\n\nIssue: System Software\n\n   Condition:\n\n   The winsvr server contains a compiler, which does not support a\n   business need.\n\n   Cause:\n\n   This condition appears to exist due to USMS not knowing the software\n   was on the system.\n\n   Criteria:\n\n   USMS Security Policy and Procedures Manual - Volume IX Section 9.4-\n   19, System Software, states: "Software which is not used for official\n   USMS operations shall not be loaded onto USMS ADP systems and any\n   such software already present on ADP systems upon receipt from a\n   vendor or manufacturer shall be purged from the system upon receipt."\n\n\n                                    - 20 -\n\x0c     Risk:\n\n     Inappropriate use of software on the server might lead to potential risks\n     including, but no limited to, service disruption and legal issues.\n\n     Recommendation:\n\n           13. We recommend that the Director, USMS, ensure that USMS\n               management remove any software not required for business-\n               related functions.\n\nF.    Data integrity. Data integrity controls are used to protect data from\n     accidental or malicious alteration or destruction and to provide assurance\n     to the user that the information meets expectations about its quality and\n     integrity.\n\n     Issue: Inadequate Data Integrity, Validation Controls, and Virus\n     Detection Controls\n\n     Condition:\n\n     Although virus detection software is installed on MNET workstations,\n     virus detection and elimination software are not installed on the\n     application servers. Additionally, workstation virus detection software is\n     not updated in a timely manner.\n\n     Cause:\n\n     A shortage of trained security personnel on the USMS security team\n     resulted in the USMS not being able to install and update virus detection\n     software for all of its systems.\n\n     Criteria:\n\n     DOJ Order 2640.2D, Chapter 3 Section 35, states: "All Department IT\n     systems shall employ virus protection software. Anti-virus software\n     shall:\n\n       \xe2\x80\xa2     Detect and eliminate viruses on computer workstations, laptops,\n             servers, and simple mail transfer protocol gateways.\n\n\n\n\n                                      - 21 -\n\x0c  \xe2\x80\xa2     Be enabled on workstations and servers at start-up and employ\n        resident scanning.\n\n  \xe2\x80\xa2     On servers, update virus signature files immediately, or as soon as\n        possible, with each new release."\n\nRisk:\n\nThe lack of virus detection software leaves the system vulnerable to\ncommon types of virus and possibly corruption or disruption of system\nservices.\n\nRecommendation:\n\n      14. We recommend that the Director, USMS, ensure that USMS\n          management develops policies and procedures to ensure the\n          installation and use of virus detection software and intrusion\n          detection software and train individuals to use it properly.\n\nIssue: Warning Banner\n\nCondition:\n\nThe winsrv server does not display a system-warning banner when users\nlog onto the server.\n\nCause:\n\nWe concluded that USMS personnel were not aware that there was a\nrequirement for a system-warning banner.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 18, Password Management,\nstates: \xe2\x80\x9cAll Department IT systems shall implement a system banner\nthat provides warnings: to employees that accessing the system\nconstitutes consent to system monitoring for law enforcement and other\npurposes; and to unauthorized users that their use of the system may\nsubject them to criminal prosecution and/or criminal or civil penalties.\xe2\x80\x9d\n\n\n\n\n                                  - 22 -\n\x0c    NIST SP 800-14, Generally Accepted Principles and Practices for\n    Securing Information Technology Systems, Section 3.3.1, states:\n    \xe2\x80\x9cThe many different components of risk should be examined. This\n    examination normally includes gathering data about the threatened area\n    and synthesizing and analyzing the information to make it useful. The\n    types of areas are...Vulnerability Analysis. A vulnerability is a condition\n    or weakness in (or absence of) security procedures, technical controls,\n    physical controls, or other controls that could be exploited by a threat."\n\n    Risk:\n\n    The winsrv server provides information to users before they are\n    authenticated to the server. It is important to inform users of the\n    sensitive nature of the resources they are using. In attempting to gain\n    useful information for compromising the server, an unauthorized user\n    could use this information. The USMS\xe2\x80\x99s ability to prosecute criminals\n    may be undercut by its inability to prove they abused systems knowing\n    they were to be used only for official purposes. It is also a good\n    practice to proactively inform users they are subject to audit.\n\n    Recommendation:\n\n       15. We recommend that the Director, USMS, ensure that USMS\n           management creates a system-warning banner. The warning\n           message should be reviewed and approved by the USMS\xe2\x80\x99s\n           General Counsel.\n\nG. Documentation. Documentation refers to the descriptions of the\n   hardware, software, policies, standards, procedures, and approvals\n   related to the system and that formalize the system\xe2\x80\x99s security controls.\n   Assessing documentation involves evaluating the USMS\xe2\x80\x99s efforts to\n   complete the following critical requirements:\n\n        o There is sufficient documentation that explains how\n          software/hardware is to be used.\n        o There are documented formal security and operational\n          procedures.\n\n\n\n\n                                    - 23 -\n\x0c    Issue: Cisco Router Policies\n\n    Condition:\n\n    We found no documented policies for securing existing Cisco routers and\n    implementing future routers.\n\n    Cause:\n\n    We concluded that USMS management has not placed a high priority on\n    documenting router policies.\n\n    Criteria:\n\n    DOJ Order 2640.2D Chapter 2 Section 16, Access Control, states:\n    "Protect the system, its data and applications, from unauthorized\n    disclosure, modification, or erasure."\n\n    Risk:\n\n    Proper security policies and operating procedures for routers and\n    supporting devices are essential for maintaining the networking\n    environment\n\n    Recommendation:\n\n        16. We recommend that the Director, USMS, ensure that USMS\n            develop, as well as implement, policies and procedures for\n            securing Cisco routers.\n\nH. Security Awareness, Training, and Education. People are a crucial\n   factor in ensuring the security of computer systems and valuable\n   information resources. Security awareness, training, and education\n   enhance security by improving awareness of the need to protect system\n   resources. Additionally, training develops skills and knowledge so\n   computer users can perform their jobs more securely and build in-depth\n   knowledge.\n\n\n\n\n                                   - 24 -\n\x0cIssue: No "Rules of Behavior" Document Has Been Approved\n\nCondition:\n\nNo Rules of Behavior document has been approved by USMS to provide\nguidance on how to use USMS systems. In addition, users have not\nbeen given adequate training and education regarding rules of behavior.\n\nCause:\n\nUSMS developed a Rules of Behavior document that contains relevant\ninformation for users to follow while using USMS systems. However,\nUSMS requires the General Counsel approval before distribution to users.\nUnfortunately, the General Counsel has failed to return or validate the\nproposed Rules of Behavior in a timely manner, preventing the\ndistribution of this document.\n\nCriteria:\n\nDOJ Order 2640.2D, Chapter 1 Section 7, states: "For each classified and\nSBU system the Certification Official shall...Ensure Rules of Behavior and\nsecurity procedures/guides are developed."\n\nRisk:\n\nThe lack of a Rules of Behavior document could potentially have several\nnegative effects. For example, users could choose an action that violates\nthe Department\xe2\x80\x99s requirements inadvertently or out of ignorance. Also,\nUSMS could potentially be unable to hold certain users accountable for\ntheir actions given the lack of express instructions describing appropriate\nactivities.\n\nRecommendation:\n\n   17. We recommend that the Director, USMS, ensure USMS\n       management:\n\n             a. Inquire with the General Counsel to determine which\n                segments of the proposed Rules of Behavior document\n                are delaying the approval and work with the General\n                Counsel to establish a set of rules that meets\n                Department\xe2\x80\x99s requirements.\n\n\n                                - 25 -\n\x0c               b. Require all users, including both government and\n                  contract employees, to read and sign the Rules of\n                  Behavior document to ensure the users are aware of the\n                  contents.\n\nI. Incident Response Capability. Computer security incidents are an\n   adverse event in a computer system or network. Such incidents are\n   becoming more common and their impact can be far-reaching.\n\n  Issue: Formal Incident Response Procedures Have Not Been\n  Established\n\n  Condition:\n\n  We found that USMS has no written incident response procedures.\n\n  Cause:\n\n  According to USMS personnel, there is a shortage of trained IT security\n  personnel on the USMS security team, preventing USMS from establishing\n  written incident response policies and procedures.\n\n  Criteria:\n\n  DOJ Order 2640.2D, Chapter 1 Section 5, states: "For SBU systems,\n  security incidents that meet the criteria established by the Department of\n  Justice Computer Emergency Response Team (DOJCERT) shall be\n  reported by the component to DOJCERT within time frames established by\n  DOJCERT."\n\n  Risk:\n\n  Without a clear definition of responsibilities for incident response, the\n  likelihood that an incident will not be handled properly and in accordance\n  with USMS and Department procedures is increased, which could increase\n  the harm to the system or decrease the effectiveness of a response.\n\n  Recommendation:\n\n       18. We recommend that the Director, USMS, ensure that USMS\n           management define responsibilities for incident response, and\n\n\n\n                                  - 26 -\n\x0c                  coordinate and complete an agreement that clearly states who\n                  is responsible for incident response for USMS.\n\nIII.    TECHNICAL CONTROLS. Technical controls focus on security\n        controls that the computer system executes and depend upon the\n        proper functioning of the system to be effective. Technical controls\n        also require significant operational considerations and should be\n        consistent with the management of security within the organization.\n\n       We assessed the effectiveness of operational and technical controls on\nWIN and MNET systems by using commercial off-the-shelf and proprietary\nsoftware to conduct penetration testing on the system. A penetration test is\na security test in which evaluators attempt to access sensitive information\non the system to determine whether appropriate security controls are in\nplace.\n\n                                                                  Vulnerabilities\n              Technical Controls\n                                                                      Noted\n    Identification and Authentication                                      \xe2\x88\x9a*\n    Logical Access Controls                                                \xe2\x88\x9a*\n    Audit Trails                                                           \xe2\x88\x9a*\n \xe2\x88\x9a* Significant vulnerability in which risk was noted as high. A high-risk vulnerability is defined\n       as one where extremely grave circumstances can occur when a remote or local attacker\n       violates the security protection of a system through user or root account access, gaining\n       complete control of a system and compromising critical information.\n\n\n   As a result of testing USMS technical controls, we confirmed that controls\nwere not adequate.\n\nA. Identification and Authentication. Identification and authentication\n   is a technical measure that prevents unauthorized people (or\n   unauthorized processes) from entering an IT system. Access control\n   usually requires that the system be able to identify and differentiate\n   among users.\n\n    Issue: User Account Management Is Improperly Configured\n\n    Condition:\n          \xe2\x80\xa2   Two out of 144 accounts on winsrv do not have a valid business\n              need.\n\n          \xe2\x80\xa2   Duplicate root-equivalent accounts (both have a user identification\n              (UID) of 0) exist on hq001.\n\n\n                                                - 27 -\n\x0c   \xe2\x80\xa2   Users are not required to log in as unprivileged users from any\n       terminal, except the console, on winsrv and hq001.\n\n   \xe2\x80\xa2   Users who must access a shared account, such as root, are not\n       required to first log in with an individual account and then be\n       switched to the shared account on winsrv and hq001.\n\n   \xe2\x80\xa2   No formal process has been established by USMS to describe\n       authorized users and their associated access privileges.\n\nCause:\n\n   \xe2\x80\xa2   The accounts that do not have a valid business need appear to be\n       unnecessary default accounts that were never removed.\n\n   \xe2\x80\xa2   The duplicate root-equivalent accounts appear to exist only for the\n       matter of convenience.\n\n   \xe2\x80\xa2   Users are not required to log in as unprivileged users from other\n       servers because of the convenience.\n\n   \xe2\x80\xa2   Users who must access a shared account (such as root) are not\n       being required to first log in with an individual account and then\n       be switched to root because of the convenience.\n\n   \xe2\x80\xa2   No formal process has been established by USMS to describe\n       authorized users and their associated access privileges because\n       USMS currently does not assign the responsibility of security\n       (and/or user management) to a specific individual who has the\n       resources and experience to properly secure this environment.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, Access Control, states that the\nsystem must: "Enable the use of resources such as data and programs\nnecessary to fulfill job responsibilities and no more."\n\nDOJ Order 2640.2D, Identification And Authentication, states: "No later\nthan February, 2003, secure privileged accounts by using authentication\ntechnology stronger than that which is based only on a UserID and\npassword."\n\n\n\n\n                                 - 28 -\n\x0cUSMS Security Policy and Procedures Manual - Volume IX Section 9, ADP\nSystem User Access Authentication, states: \xe2\x80\x9cEach user will have a unique\nuser identification and password.\xe2\x80\x9d\n\nRisk:\n\nProviding access on the server to users without a business need\nsignificantly increases security risks. Additionally, duplicate user\nidentifications increase the risk that unauthorized users will modify or\ndelete files created by another user, and jeopardize accountability.\nFurthermore, duplicate root-equivalent accounts increase the risk that\nusers have system access privileges that are not required for their job\nfunctions. Furthermore, unauthorized users who target root-equivalent\naccounts have multiple opportunities to gain root access.\n\nAllowing users to log into the system directly as root from any host on\nthe network increases the risk that an unauthorized user will gain\nprivileged access to the system. If shared accounts are logged into\ndirectly, then accountability is lost. Allowing inactive accounts to remain\non the system could potentially give unauthorized users a vehicle or\ntarget for gaining unauthorized access to sensitive system resources.\n\nRecommendation:\n\n     19. We recommend that the Director, USMS, ensure that USMS\n         management:\n\n             a. Enforce Department-wide identification and\n                authentication policies and ensure that only authorized\n                personnel can login to the system.\n\n             b. Establish a system administrator to ensure accounts do\n                not remain inactive on the system and ensure active\n                accounts are appropriate.\n\nIssue: Password Controls are inadequate\n\nCondition:\n\nIn the USMS\xe2\x80\x99s \xe2\x80\x9cPwC Penetration Testing Vulnerability Report,\xe2\x80\x9d dated\nJune 19, 2000, it was disclosed that USMS\xe2\x80\x99s UNIX and Novell servers had\nweak passwords (UNIX Finding 1, UNIX Finding 5 and Novell Finding 1).\n\n\n\n                                 - 29 -\n\x0cAt the time of our audit, we identified the following related weaknesses:\n\n\xe2\x80\xa2   USMS Security Policy and Procedures Manual - Volume IX Section 9,\n    ADP System User Access Authentication, states: \xe2\x80\x9cPasswords shall be\n    six alphanumeric characters in length\xe2\x80\xa6,\xe2\x80\x9d which is in violation of\n    current Department policy.\n\n\xe2\x80\xa2   Four out of 172 accounts on two UNIX servers had passwords equal\n    to the users\xe2\x80\x99 names.\n\n\xe2\x80\xa2   Ninety-nine out of 154 accounts on one UNIX server had the same\n    password.\n\n\xe2\x80\xa2   One UNIX server had the maximum password age set at 99,999\n    days.\n\n\xe2\x80\xa2   One UNIX server had two files that contain passwords in clear text.\n\n\xe2\x80\xa2   Thirty-nine accounts on five Novell servers have a null password.\n\nCause:\n\n\xe2\x80\xa2   USMS passwords policy conflicts with Department policy because\n    USMS has not reviewed and updated the policy to ensure compliance\n    with the Department\xe2\x80\x99s requirement.\n\n\xe2\x80\xa2   Accounts with passwords that are equal to the users\xe2\x80\x99 name exist\n    because initial default passwords have not been changed.\n\n\xe2\x80\xa2   The 99 accounts that have the same passwords are used by WIN\n    administrators and have been assigned the same password as a\n    matter of convenience.\n\n\xe2\x80\xa2   The password age set at 99,999 days is due to a misconfiguration of\n    the UNIX server on the behalf of USMS.\n\n\xe2\x80\xa2   The two files with passwords in clear text are used for automatic login\n    for such services as file transfer protocols.\n\n\xe2\x80\xa2   The cause of all of the Novell accounts with null passwords appears to\n    be an oversight on the behalf of USMS.\n\n\n\n\n                                 - 30 -\n\x0cCriteria:\n\nDOJ Order 2640.2D, Chapter 2 Section 18(b)(1), Password Management,\nstates: \xe2\x80\x9cDepartment IT systems that use passwords as the means for\nauthentication shall implement\xe2\x80\xa6An eight-character password composed\nof at least three of the following: English uppercase, English lower case,\nnumerics, special characters.\xe2\x80\x9d\n\nUSMS Security Policy and Procedures Manual - Volume IX\nSection 9, ADP System User Access Authentication, states: "... each user\nwill have a unique user identification and password."\nDOJ Order 2640.2D, Chapter 2 Section 18(b)(3) and (4), Password\nManagement, states: \xe2\x80\x9cLimit password lifetime to a maximum of 90\ndays,\xe2\x80\x9d and "Prevent the display of a clear text password.\xe2\x80\x9d\n\nRisk:\n\nInconsistent policies can lead to security weaknesses. In this case, the\nUSMS policy permits weaker passwords than the Department\xe2\x80\x99s policy\nallows.\n\nEasy-to-guess passwords increase the chances that an intruder can gain\naccess to the system or represent him or herself as a valid user. This\nwas proven by our ability to gain root access on one UNIX server using\nthe default password of a UNIX account. Furthermore, having the same\npassword for multiple accounts increases the chance that users can log\nin with a different account and thus masquerade their identity.\n\nAccount passwords that are not changed with a scheduled frequency\nincrease the possibility of compromise and unauthorized use of the\naccount by an intruder representing him or herself as a valid user.\n\nThe existence of reference files or scripts with unencrypted passwords\nincreases the risk that unauthorized users will gain access to user\naccounts on the system.\n\nUsers without passwords increase the risk that unauthorized users will\ngain access to systems and access data and system configuration files.\n\n\n\n\n                                - 31 -\n\x0cRecommendation:\n\n  20. We recommend that the Director, USMS:\n\n             a. Review and update its current policies so that they are in\n                compliance with the Department\xe2\x80\x99s policies.\n\n             b. Enforce Department-wide password policies and\n                procedures and install security tools on all servers to\n                enforce restrictions on passwords.\n\n\nIssue: Accounts and Privileged Groups\n\nCondition:\n\nOn the hq001 server, 2 out of 177 accounts are inappropriately assigned\nto privileged groups. Users listed in privileged groups have access to\ngroup files and directories owned by the privileged group. This increases\nthe risk that sensitive system configuration files could be changed or\ndeleted.\n\nCause:\n\nThis condition exists due to a misconfiguration on the part of USMS.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, Access Control, states:\n\xe2\x80\x9cEnable the use of resources such as data and programs necessary to\nfulfill job responsibilities and no more.\xe2\x80\x9d\n\nRisk:\n\nUsers listed in privileged groups have access to group files and\ndirectories owned by the privileged group. This increases the risk that\nsensitive system configuration files could be changed or deleted.\n\nRecommendation:\n\n  21. We recommend that the Director, USMS, ensure that USMS\n      management delete accounts that do not require access to a\n      privileged group.\n\n\n                                 - 32 -\n\x0cB. Logical Access Controls. Logical access controls are the system-based\n   mechanisms used to designate who or what is to have access to a specific\n   system resource and the type of transactions and functions that are\n   permitted.\n\n   Issue: Logical Access Controls\n\n   Condition:\n\n   The following risky services are found to be running on WIN and MNET\n   systems:\n\n     \xe2\x80\xa2   \xe2\x80\x9crusers\xe2\x80\x9d (found on one server) \xe2\x80\x93 \xe2\x80\x9crusers\xe2\x80\x9d provides information\n         about users on the host.\n\n     \xe2\x80\xa2   Telnet (found on 16 servers) \xe2\x80\x93 allows userid and password\n         information to pass over the network as clear text.\n\n     \xe2\x80\xa2   Berkley r-services (rexec, rlogin, rsh) and configuration files\n         (/etc/hosts.equiv) (found on 14 servers) \xe2\x80\x93 allow users to\n         log in or execute commands from a trusted machine without\n         re-authenticating.\n\n     \xe2\x80\xa2   .rhosts (found on two servers) \xe2\x80\x93 individual .rhost files (in\n         conjunction with r-services), allow users to log in or execute\n         commands from a trusted machine with out re-authenticating.\n\n     \xe2\x80\xa2   Sendmail (vrfy and expn commands)(found on six servers) \xe2\x80\x93\n         provides email transport.\n\n    The following Windows NT server configurations were set improperly in\n    all Windows NT Primary Domain Controllers (PDC) servers accessed:\n\n     \xe2\x80\xa2   Five allow \xe2\x80\x9canonymous\xe2\x80\x9d connections to gather user, group, share,\n         and policy information.\n\n     \xe2\x80\xa2   Five had no account lockout, including the administrator account.\n\n     \xe2\x80\xa2   Five did not have the auditing feature enabled. Auditing is critical\n         for preventing and monitoring unauthorized access to the Windows\n         NT environment.\n\n\n\n\n                                    - 33 -\n\x0c \xe2\x80\xa2   Seven servers has \xe2\x80\x9cfinger daemon,\xe2\x80\x9d which gives out information\n     including username, login status, and last login time.\n\nSimilar conditions relating to rusers, telnet, Berkley r-services, vrfy and\nexpn, finger, and other services were also noted in the following prior-\nyear findings (USMS PwC Penetration Testing Vulnerability Report, dated\nJune 2000, Finding numbers: 2, 4, 6, 7, 10, 12, 14, and 15.)\n\nCause:\n\n \xe2\x80\xa2   Rusers are enabled by default.\n\n \xe2\x80\xa2   Telnet offers a major convenience for users.\n\n \xe2\x80\xa2   The Berkley r-services offer a convenience to users.\n\n \xe2\x80\xa2   The vrfy and expn sendmail commands are enabled by default.\n\n \xe2\x80\xa2   The finger command is enabled by default.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, Access Control, states:\n\xe2\x80\x9cProtect the system, its data and applications, from unauthorized\ndisclosure, modification, or erasure.\xe2\x80\x9d\n\nRisk:\n\n \xe2\x80\xa2   Rusers (found on one server) \xe2\x80\x93 Rusers provides potentially enticing\n     information on users on the host. It provides information on how\n     busy the machine is and on login accounts. This is information an\n     intruder can use in an attack. A scanner or attacker in a brute-\n     force attack can then use the account information.\n\n \xe2\x80\xa2   Telnet (found on 16 servers) \xe2\x80\x93 allows userid and password\n     information to pass over the network in the clear. Any\n     unauthorized user on the network can sniff out this information and\n     log into the system as that user.\n\n \xe2\x80\xa2   Berkley r-services (rexec, rlogin, rsh) (found on 14 servers) and\n     configuration files (/etc/hosts.equiv and rhosts \xe2\x80\x93 found on two\n     servers). r-services (rexec, rlogin and rsh) (in conjunction with the\n     /etc/hosts.equiv file) and individual .rhosts files, provide a large\n\n\n                                - 34 -\n\x0c      amount of risk to a system by allowing users to log in or execute\n      commands from a trusted machine without re-authenticating;\n\n \xe2\x80\xa2    Sendmail (vrfy and expn commands)(found on six servers) \xe2\x80\x93\n      provides email transport. There are features and bugs to sendmail\n      that may place the system at risk and could allow unauthorized\n      access or remote execution of programs.\n\n \xe2\x80\xa2    Five servers allow \xe2\x80\x9canonymous\xe2\x80\x9d connections to gather user, group,\n      share, and policy information. Anonymous connections give\n      individuals a method of obtaining share, group, user, and account\n      policy and account lockout information from a system.\n\n \xe2\x80\xa2    Five servers had no account lockout, including the administrator\n      account. Locking out accounts after a specified failed login\n      attempts decreases the risk that the user accounts will be\n      compromised through brute force attacks.\n\n \xe2\x80\xa2    Five servers did not have the auditing feature enabled. Auditing is\n      critical for preventing and monitoring unauthorized access to the\n      Windows NT environment.\n\n \xe2\x80\xa2    Seven servers had finger daemon, which gives out information\n      including username, login status, last login time, and other\n      information that an unauthorized user could use to plan an attack\n      on the system.\n\nRecommendation:\n\n     22. We recommend that the Director, USMS, ensure that USMS\n         management develop, implement, and monitor procedures\n         establishing specific security standards and settings for running\n         vulnerable services and server configurations.\n\n\n\n\n                                 - 35 -\n\x0c Issue: Data Encryption\n\n Condition:\n\n Encryption is not being used to protect WIN data that is sent across\n MNET.\n\n Cause:\n\n USMS does not require WIN data to be encrypted before transmission.\n\n Criteria:\n\n DOJ Order 2640.2D Chapter 2 Section 16, Access Control, states:\n \xe2\x80\x9cProtect the system, its data and applications, from unauthorized\n disclosure, modification, or erasure.\xe2\x80\x9d\n\n Federal Information Processing Standards Publication (FIPS PUB) 46-3,\n states: \xe2\x80\x9cData that is considered sensitive by the responsible authority,\n data that has a high value, or data that represents high value should be\n cryptographically protected if it is vulnerable to unauthorized disclosure\n or undetected modification during transmission or while in storage.\xe2\x80\x9d\n\n Risk:\n\n Sensitive information may be the target of sniffing attacks by\n unauthorized users. If transactions are occurring that contain highly\n confidential information, it may be vulnerable to sniffing if it is not\n encrypted. Hash algorithms will help mitigate against a loss of data\n integrity should the data be manipulated in transit.\n\n Recommendation:\n\n23.       We recommend that the Director, USMS, implement some level\n          of encryption of WIN data before it is transferred across the\n          network.\n\n\n\n\n                                 - 36 -\n\x0cIssue: Cisco Router Access Controls Are Inadequate\n\nCondition:\n\nThe following router access controls are inadequate on the Cisco router:\n\n \xe2\x80\xa2 Access lists are not used to restrict which hosts can access the login\n   prompt.\n\n \xe2\x80\xa2 The router does not have a session-timeout variable assigned.\n   Timeout sessions provide additional security against consoles that\n   are left unattended.\n\nCause:\n\nWe found that these conditions exist due to misconfiguration of the\nsetting by USMS.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, Access Control, states:\n\xe2\x80\x9cProtect the system, its data and applications, from unauthorized\ndisclosure, modification, or erasure,\xe2\x80\x9d and \xe2\x80\x9cDisable inactive sessions so\nthat authentication is required to re-establish the session after 20\nminutes or less of inactivity. Screen saver or workstation lockouts that\nrequire users to re-enter their passwords, such as those available in\nWindows, are acceptable.\xe2\x80\x9d\n\nDOJ Order 2640.2D Chapter 2 Section 18, Password Management,\nstates: \xe2\x80\x9cAll Department IT systems shall implement a system banner\nthat provides warnings: to employees that accessing the system\nconstitutes consent to system monitoring for law enforcement and other\npurposes; and to unauthorized users that their use of the system may\nsubject them to criminal prosecution and/or criminal or civil penalties.\xe2\x80\x9d\n\nRisk:\n\nAllowing anyone on the network access to the login prompt increases\nthe risk of unauthorized access to the router.\n\nTimeout sessions provide additional security against consoles that are\nleft unattended. If a user can gain access to a console left unattended,\nthey can modify the router\xe2\x80\x99s configuration.\n\n\n                               - 37 -\n\x0cRecommendation:\n\n   24. We recommend that the Director, USMS, ensure that USMS\n       management create an appropriate access list for all routers,\n       and set timeout values for an unattended console.\n\nIssue: Cisco Router Traffic Filtering\n\nCondition:\n\nTraffic filtering controls are inadequate on the Cisco router. The router\ndoes not have transmission control protocol (TCP) intercept mode\nactivated, which is used to watch the activity of incoming connection\nrequests to aid in the prevention of a denial of service attack.\nAdditionally, activity not explicitly allowed is not being logged to an\naccess list. The information obtained from the access list can be used to\nexamine unwarranted attempts to access the network.\n\nCause:\n\nThese conditions exist because of USMS\xe2\x80\x99s misconfiguration of the TCP\nintercept mode.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, Access Control, states:\n\xe2\x80\x9cProtect the system, its data and applications, from unauthorized\ndisclosure, modification, or erasure.\xe2\x80\x9d\n\nUSMS Security Policy and Procedures Manual - Volume IX Section 9,\nADP System User Access Authentication, states: \xe2\x80\x9cAudit trails are\nrequired on all ADP systems processing Limited Official Use or classified\ninformation which may be accessed by more than one user and must be\nreviewed by the Computer Systems Security Officer or Assistant\nComputer Systems Security Officer at least on a weekly basis.\xe2\x80\x9d\n\n\n\n\n                               - 38 -\n\x0cRisk:\n\nIf TCP intercept mode is not activated, WIN becomes susceptible to\ndenial of service attacks, which can shut down the network.\n\nIf access lists are not used to monitor activity, unauthorized users may\nbe able to gain access to the router.\n\nRecommendation\n\n 25. We recommend that the Director, USMS, ensure that USMS\n     security management properly configure TCP intercept mode and\n     add logging for specific access lists.\n\nIssue: Software Patches\n\nCondition:\n\nWe found that the operating system software is not kept up-to-date\nwith respect to security patches on the winsrv and hq001 servers.\nCurrent versions of the software patch contain processing and security\nenhancements. Additionally, the patch can correct bugs that have been\nidentified by (or communicated to) the operating system vendor.\n\nCause:\n\nThis condition exists due to a lack of formal procedures for keeping\nup-to-date with security patches.\n\nCriteria:\n\nNIST SP 800-13 Section 5.10, Telecommunications Security Guidelines\nfor Telecommunications Management Network, states: "All new\nsoftware features and patches shall be tested first on a development\nsystem and approved by an appropriate testing organization, prior to\ninstallation on an operational system. Tests that modify live data shall\nnot be performed. A risk analysis shall be conducted of proposed\nsoftware changes to determine their impact on network element\nsecurity. Any changes to security features or security defaults shall be\ndocumented and made available to the user before the software is\ndistributed."\n\n\n\n\n                               - 39 -\n\x0cRisk:\n\nIf the version of the operating system and the security patches are not\ncurrent, there is an increased risk that an unauthorized user may be\nable to exploit system weaknesses.\n\nRecommendation:\n\n     26. We recommend that the Director, USMS, ensure USMS\n         management implement and document procedures to require\n         that the latest security patch from the system vendor is\n         obtained and that it is properly installed and configured.\n\nIssue: Windows NT Systems Improperly Configured.\n\nCondition:\n\nWindows NT systems\xe2\x80\x99 configuration were improperly set, as identified\nbelow:\n\n \xe2\x80\xa2   The following Windows NT Primary Domain Controllers (PDCs) allow\n     anonymous connections to gather user, group, share, and policy\n     information:\n\n     ABSSERVER\n     HRD_PS7NT\n     COLOSSUS\n     JSD-APPS\n     HQ_NOTES\n\n \xe2\x80\xa2   The following Windows NT PDCs have a minimum password length\n     of 0 characters:\n\n     ABSSERVER\n     HRD_PS7NT\n     COLOSSUS\n     HQ_NOTES\n\n \xe2\x80\xa2   The following Windows NT PDCs have no maximum password age:\n\n     HRD_PS7NT\n     JSD_APPS\n\n\n\n                               - 40 -\n\x0c \xe2\x80\xa2   The following Windows NT PDCs have the minimum password age\n     set to 0 days:\n\n     ABSSERVER\n     HRD_PS7NT\n     COLOSSUS\n     JSD_APPS\n     HQ_NOTES\n\n \xe2\x80\xa2   The following Windows NT PDCs have a password history of 0\n     passwords:\n\n     ABSSERVER\n     HRD_PS7NT\n     COLOSSUS\n     HQ_NOTES\n\nSimilar conditions were also noted in a prior year (June 2000) report, as\nidentified below:\n\n \xe2\x80\xa2    The following prior-year findings relate to Windows NT PDCs\n      allowing null connections to gather information:\n     "Windows NT Finding 4" in the "USMS PwC Penetration Testing\n      Vulnerability Report"\n\n \xe2\x80\xa2    The following prior-year findings relate to account lockout:\n     "Windows NT Finding 6" in the "USMS PwC Penetration Testing\n      Vulnerability Report"\n     "Windows NT Finding 7" in the "USMS PwC Penetration Testing\n      Vulnerability Report"\n\n \xe2\x80\xa2    The following prior-year finding relates to auditing not being\n      enabled:\n     "Windows NT Finding 8" in the "USMS PwC Penetration Testing\n      Vulnerability Report"\n\nCause:\n\nAll of the conditions noted above exist due to a lack of formal Windows\nNT security procedures.\n\n\n\n\n                                - 41 -\n\x0cCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, Access Control, states:\n\xe2\x80\x9cProtect the system, its data and applications, from unauthorized\ndisclosure, modification, or erasure.\xe2\x80\x9d\n\nRisk:\n\n \xe2\x80\xa2   The null credentials logon gives individuals a method of obtaining\n     share, user and group, account policy, and account lockout\n     information from a system. With this information, attackers can\n     start brute force guessing passwords and attempt to compromise\n     the system.\n\n \xe2\x80\xa2   Setting a minimum password length forces users to create\n     passwords that will be more difficult to guess or crack.\n\n \xe2\x80\xa2   Account passwords that are not periodically changed increases the\n     possibility of compromise and exposure to the password. It also\n     increases the possibility of unauthorized access to the system.\n\n \xe2\x80\xa2   By setting a minimum password age, users are prevented from\n     cycling passwords until they return to their previous password.\n     Having this feature enabled prevents a user from bypassing the\n     password uniqueness control.\n\n \xe2\x80\xa2   Requiring unique passwords prevents a user from recycling old\n     passwords that may have been compromised.\n\n \xe2\x80\xa2   Users in the \xe2\x80\x9cDomain Admins\xe2\x80\x9d group have the highest level of\n     privileges on a Windows NT Domain, and are thus the first target of\n     unauthorized users. The more \xe2\x80\x9cDomain Admins\xe2\x80\x9d there are, the\n     more avenues of attack there are for an unauthorized user to gain\n     access.\n\n \xe2\x80\xa2   Inactive accounts are often used by intruders to break into a\n     network.\n\n \xe2\x80\xa2   Locking out accounts after a specified number of failed login\n     attempts decrease the risk that user accounts will be compromised\n     through brute force attacks.\n\n\n\n\n                                - 42 -\n\x0c    \xe2\x80\xa2   Auditing is crucial for preventing and monitoring unauthorized\n        access to the Windows NT environment.\n\n   Recommendation:\n\n        27. We recommend that the Director, USMS, ensure that USMS\n            management develop, implement, and monitor documented\n            policy establishing specific password standards for server\n            configurations.\n\nC. Audit trails. Audit trails maintain a record of system activity by\n   system or application processes and by user activity. In conjunction\n   with appropriate tools and procedures, audit trails can provide individual\n   accountability, a means to reconstruct events, detect intrusions, and\n   identify problems.\n\n   Issue: Auditing, Logging, and Monitoring Are Not Sufficient.\n\n   Condition:\n   System activities are not adequately logged and reviewed on a regular\n   basis on winsrv and hq001 servers.\n\n   Cause:\n\n   This condition exists due to a lack of formal procedures for auditing.\n\n   Criteria:\n\n   USMS Security Policy and Procedures Manual - Volume IX Section 9,\n   ADP System User Access Authentication, states: \xe2\x80\x9cAudit trails are\n   required on all ADP systems processing limited official use or classified\n   information which may be accessed by more than one user and must be\n   reviewed by the Computer Systems Security Officer or Assistant\n   Computer Systems Security Officer at least on a weekly basis.\xe2\x80\x9d\n\n   Risk:\n\n   Insufficient logging will result in the lack of an audit trail in the event of\n   an unauthorized access. Without good logging and monitoring,\n   administrators are not often given early warnings for hardware and\n   software errors or problems.\n\n\n\n\n                                     - 43 -\n\x0c    Recommendation:\n\n         28. We recommend that the Director, USMS, ensure that USMS\n             management implement procedures to ensure that system log\n             messages are reviewed on a regular basis and that system\n             alerts are sent when problems arise.\n\nCONCLUSION\n\n      We assessed management, operational, and technical controls at a\nhigh risk to the protection of the WIN and MNET systems from unauthorized\nuse, loss, or modification. Specifically, we identified vulnerabilities in 16 of\nthe 17 control areas and noted security findings in the following areas:\nreview of security controls, life cycle, authorized processing, system security\nplan, personnel security, physical and environmental security, production\nand input/output controls, contingency planning, hardware and systems\nsoftware maintenance, data integrity, documentation, security awareness,\nincident response capability, identification and authentication, logical access\ncontrols, and audit trails. Certification and accreditation to operate the WIN\nand MNET systems should be rescinded until these weaknesses are\ncorrected.\n\n       We concluded that these vulnerabilities occurred because USMS\nmanagement did not fully develop, enforce, or formalize agency-wide\npolicies in accordance with current Department policies and procedures.\nAdditionally, the Department did not enforce its security policies and\nprocedures to ensure the WIN and MNET systems were protected from\nunauthorized use, loss, or modification through its certification and\naccreditation process. Furthermore, many of the vulnerabilities identified\nduring this audit could have been prevented if USMS security management\nhad followed-up on corrective actions for similar vulnerabilities identified in\nprevious years.\n\n       Additionally, many of the causes stated in this report evidence a lack\nof commitment by USMS to implement timely corrective actions. This is\nillustrated by the inadequate number of individuals on the IT security team\nassigned to develop the documents required for WIN and MNET certification\nand accreditation.\n\n\n\n\n                                     - 44 -\n\x0c                                                                  APPENDIX I\n\n          NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY\n                     GENERAL AREAS OF CONTROL\n\n     The review focused on evaluating the adequacy of management,\noperational and technical controls over the following specific control areas:\n\nI. MANAGEMENT CONTROLS. Management controls focus on the\nmanagement of the IT security system and the management of risk for a\nsystem. They are techniques and concerns that are normally addressed by\nmanagement.\n\n   \xe2\x80\xa2   Risk Management. Risk is the possibility of something adverse\n       happening. Risk management is the process of assessing risk, taking\n       steps to reduce risk to an acceptable level, and maintaining that level\n       of risk. Assessing risk management involves evaluating the USMS\n       efforts to complete the following critical procedures:\n\n          o Periodic performance of a system risk assessment had been\n            performed.\n          o Program officials understand the risk to systems under their\n            control and had determined the acceptable level of risk.\n\n   \xe2\x80\xa2   Review of Security Controls. Routine evaluations and response to\n       identified vulnerabilities are important elements of managing security\n       controls of a system. Determining whether review of security controls\n       had been adequately performed requires the auditor to assess if the\n       following critical items were completed:\n\n          o A system security control review had been performed for both\n            WIN and MNET and interconnected systems.\n          o Management ensured effective implementation of corrective\n            actions.\n\n   \xe2\x80\xa2   Life Cycle. Like other aspects of an IT system, security is best\n       managed if planned for throughout the IT system life cycle. There are\n       many models for the IT system life cycle but most contain five basic\n       phases: initiation, development/acquisition, implementation,\n\n\n\n\n                                     - 45 -\n\x0c      operation, and disposal. Assessing a system\xe2\x80\x99s life cycle involves\n      identifying if the following critical items are in place for WIN and\n      MNET:\n\n         o A system development life cycle methodology.\n         o System change controls as programs progress through testing to\n           final approval.\n\n  \xe2\x80\xa2   Authorize Processing (Certification and Accreditation).\n      Authorize processing (also referred to as certification and\n      accreditation) provides a form of assurance of the security of the\n      system. To determine whether WIN and MNET had been appropriately\n      authorized to process data involves analyzing critical documents that\n      identifies whether:\n\n         o The system had been certified/recertified and authorized to\n           process (accredited).\n         o The system is operating on an interim authority in accordance\n           with specified agency procedures.\n\n  \xe2\x80\xa2   System Security Plan. A system security plan provides an overview\n      of the security requirements of the system and describes the controls\n      in place or planned for meeting those requirements. The plan\n      delineates responsibilities and expected behavior of all individuals who\n      access the system. Assessing whether the WIN and MNET systems\n      have an adequate system security plan requires identifying if the\n      following critical elements were met:\n\n         o A system security plan had been documented for the system and\n           all interconnected systems if the boundary controls are\n           ineffective.\n         o The plan is kept current.\n\nII. OPERATIONAL CONTROLS: Operational controls address security\ncontrols that are implemented and executed by people. These controls are\nput in place to improve the security of a particular system. They often\nrequire technical or specialized expertise and rely upon management\nactivities as well as technical controls.\n\n  \xe2\x80\xa2   Personnel Security. Many important issues in computer security\n      involve human users, designers, implementers, and managers. A\n      broad range of security issues relates to how these individuals interact\n      with computers and the access and authorities they need to do their\n\n\n                                     - 46 -\n\x0c    jobs. Assessing personnel security involves evaluating the USMS\n    efforts to complete the following critical procedures:\n\n      o Duties are separated to ensure least privilege and individual\n        accountability.\n      o Appropriate background screening for assigned positions is\n        completed prior to granting access.\n\n\xe2\x80\xa2   Physical and Environmental Protection. Physical security and\n    environmental security are the measures taken to protect systems,\n    buildings, and related supporting infrastructures against threats\n    associated with their physical environment. Assessing physical and\n    environmental protection involves evaluating the USMS efforts to\n    complete the following critical procedures:\n\n      o Adequate physical security controls have been implemented and\n        are commensurate with the risks of physical damage or access.\n      o Data is protected from interception.\n      o Mobile and portable systems are protected.\n\n\xe2\x80\xa2   Production, Input/Output Controls. There are many aspects to\n    supporting IT operations. Topics range from a user help desk to\n    procedures for storing, handling, and destroying media. Assessing\n    production, input/output controls involves evaluating the USMS efforts\n    to ensure the following critical elements are met:\n\n      o User support is being provided to WIN and MNET network users.\n      o Media controls are in place for the WIN and MNET network.\n\n\xe2\x80\xa2   Contingency Planning. Contingency planning ensures continued\n    operations by minimizing the risk of events that could disrupt normal\n    operations and having an approach in place to respond to those events\n    should they occur. Assessing contingency planning involves evaluating\n    the USMS efforts to complete the following critical procedures:\n\n      o Identify the most critical and sensitive operations and their\n        supporting computer resources.\n      o Develop and document a comprehensive contingency plan.\n      o Have tested contingency/disaster recovery plans in place.\n\n\xe2\x80\xa2   Hardware and System Software Maintenance. These are controls\n    used to monitor the installation of, and updates to, hardware and\n    software to ensure that the system functions as expected and that a\n\n\n                                 - 47 -\n\x0c    historical record is maintained of changes. Some of these controls are\n    also covered in the Life Cycle Section. Assessing hardware and system\n    software maintenance involves evaluating the USMS efforts to\n    complete the following critical procedures:\n\n      o Access is limited to system software and hardware.\n      o All new and revised hardware and software are authorized,\n        tested, and approved before implementation.\n      o Systems are managed to reduce vulnerabilities.\n\n\xe2\x80\xa2   Data Integrity. Data integrity controls are used to protect data from\n    accidental or malicious alteration or destruction and to provide\n    assurance to the user the information meets expectations about its\n    quality and integrity. Assessing data integrity involves evaluating the\n    USMS efforts to complete the following critical procedures:\n\n      o Virus detection and elimination software is installed and\n        activated.\n      o Data integrity and validation controls are used to provide\n        assurance that the information has not been altered and the\n        system functions as intended.\n\n\xe2\x80\xa2   Documentation. The documentation contains descriptions of the\n    hardware, software, policies, standards, procedures, and approvals\n    related to the system and formalize the system\xe2\x80\x99s security controls.\n    Assessing documentation involves evaluating the USMS efforts to\n    complete the following critical procedures:\n\n      o There is sufficient documentation that explains how\n        software/hardware is to be used.\n      o There are documented formal security and operational\n        procedures.\n\n\xe2\x80\xa2   Security Awareness, Training, and Education. People are a\n    crucial factor in ensuring the security of computer systems and\n    valuable information resources. Security awareness, training, and\n    education enhance security by improving awareness of the need to\n    protect system resources. Additionally, training develops skills and\n    knowledge so computer users can perform their jobs more securely\n    and build in-depth knowledge. Assessing security awareness, training,\n    and education involves evaluating the USMS efforts to complete the\n    following critical procedures:\n\n\n\n                                  - 48 -\n\x0c         o Employees have received adequate training to fulfill their\n           security responsibilities.\n\n  \xe2\x80\xa2   Incident Response Capability. Computer security incidents are an\n      adverse event in a computer system or network. Such incidents are\n      becoming more common and their impact far-reaching. The following\n      questions are organized according to two critical elements. Assessing\n      incident response capability involves evaluating the USMS efforts to\n      complete the following critical procedures:\n\n         o There is a capability to provide help to users when a security\n           incident occurs in the system.\n         o Incident related information is shared with appropriate\n           organizations.\n\nIII. TECHNICAL CONTROLS. Technical controls focus on security controls\nthat the computer system executes and depend upon the proper functioning\nof the system to be effective. Technical controls require significant\noperational considerations and should be consistent with the management of\nsecurity within the organization.\n\n  \xe2\x80\xa2   Identification and Authentication. Identification and\n      authentication is a technical measure that prevents unauthorized\n      people or processes form entering an IT system. Access Control\n      usually requires that the system be able to identify and differentiate\n      among users. Authentication is verification that a person\xe2\x80\x99s claimed\n      identity is valid and it is usually implemented through the use of\n      passwords. Assessing identification and authentication involves\n      evaluating the USMS efforts to complete the following critical\n      procedures:\n\n         o Users are individually authenticated via passwords, tokens, or\n           other devices.\n         o Access controls are enforcing segregation of duties.\n\n  \xe2\x80\xa2   Logical Access Controls. Logical Access Controls are the system-\n      based mechanisms used to designate who or what is to have access to\n      a specific system resource and the type of transactions and functions\n      that are permitted. Assessing logical Access Controls involves\n      evaluating the USMS efforts to complete the following critical\n      procedures:\n\n\n\n\n                                    - 49 -\n\x0c      o Logical access controls restrict users to authorized transactions\n        and functions.\n      o There are controls over network access.\n      o There controls implemented to protect the integrity of the\n        application and the confidence of the public when the public\n        accesses the system.\n\n\xe2\x80\xa2   Audit Trails. Audit trails maintain a record of system activity by\n    system or application processes and by user activity. In conjunction\n    with appropriate tools and procedures, audit trails can provide\n    individual accountability, a means to reconstruct events, detect\n    intrusions, and identify problems. Assessing audit trails involves\n    evaluating the USMS efforts to complete the following critical\n    procedure:\n\n      o Activity involving access to and modification of sensitive or\n        critical files is logged, monitored, and possible security violations\n        are investigated.\n\n\n\n\n                                  - 50 -\n\x0c         APPENDIX II\n\n\n\n\n- 51 -\n\x0c- 52 -\n\x0c- 53 -\n\x0c- 54 -\n\x0c- 55 -\n\x0c- 56 -\n\x0c- 57 -\n\x0c                                                       APPENDIX III\n\n     OFFICE OF THE INSPECTOR GENERAL, AUDIT DIVISION ANALYSIS AND\n            SUMMARY OF ACTIONS NECESSARY TO CLOSE REPORT\n\n\nRecommendation Number:\n\n1.      Resolved. The USMS agreed with the need for appropriate security\n        controls and stated that while some progress has been made,\n        resolution of many of the system vulnerabilities requires additional\n        security resources. To close this recommendation, the USMS needs to\n        provide the OIG evidence of the USMS\xe2\x80\x99s corrective action plan to track\n        and resolve IT security vulnerabilities.\n\n2.      Resolved. The USMS agreed with the need to implement a System\n        Development Life Cycle (SDLC). To close this recommendation, the\n        USMS needs to provide the OIG with evidence that the Information\n        Technology Investment Management/SDLC methodology was\n        approved and implemented.\n\n3.      Resolved. The USMS agreed to place WIN and MNET in an Interim\n        Approval To Operate (IATO) status for six months. To close this\n        recommendation, the USMS needs to provide the OIG evidence that an\n        IATO is obtained and a corrective action plan is established within the\n        six month timeframe, including preparing the ST&E, contingency plan\n        (with testing), and a system security plan.\n\n4.      Resolved. The USMS agreed with the need for an adequate WIN\n        system security plan. To close this recommendation, the USMS needs\n        to provide the OIG with evidence that the system security complies\n        with NIST requirements and that corrective actions were taken to\n        ensure WIN and MNET systems meet the requirements set forth in the\n        C&A process.\n\n5.      Resolved. The USMS agreed with the need for proper separation of\n        duties and stated that procedures are in place requiring separation of\n        duties. To close this recommendation, the USMS needs to provide the\n        OIG with the procedures requiring separation of duties between\n        system developers and system administrators.\n\n6.      Resolved. The USMS agreed with the need for adequate physical and\n        environmental controls and indicated all USMS production servers had\n        been moved to a new location. To close this recommendation, the\n        USMS needs to provide the OIG evidence that the new location\xe2\x80\x99s\n\n\n                                     - 58 -\n\x0c      physical and environmental controls were implemented as described in\n      DOJ Order 2640.2D.\n\n7.    Resolved. The USMS agreed with the need to review world-writeable\n      files. To close this recommendation, the USMS needs to provide the\n      OIG evidence that the (a) WIN files and directories were reviewed, (b)\n      procedures were developed for proper assignment of file permissions\n      for users, and (c) the policy of \xe2\x80\x9cleast privilege\xe2\x80\x9d was implemented.\n\n8.    Resolved. The USMS agreed with the need to review the use of\n      parameter settings. To close this recommendation, the USMS needs to\n      provide the OIG evidence that the user parameter settings were\n      reviewed for proper assignment of user parameters.\n\n9.    Resolved. The USMS agreed that written procedures need to be\n      prepared to assist help desk personnel in performing their daily\n      responsibilities. To close this recommendation, the USMS needs to\n      provide the OIG evidence that written procedures are in place to assist\n      help desk personnel in responding to user problems.\n\n10.   Resolved. The USMS agreed that written media control procedures\n      and audit trails need to be established. To close this recommendation,\n      the USMS needs to provide the OIG evidence once documented\n      procedures are established to control how and when media and other\n      types of USMS data are transferred. In addition, please provide\n      documentation showing how audit trails will be maintained to evidence\n      such events.\n\n11.   Resolved. The USMS agreed that a documented MNET contingency\n      plan is needed. To close this recommendation, the USMS needs to\n      provide the OIG evidence that a contingency plan is approved and\n      tested.\n\n12.   Resolved. The USMS agreed that Cisco router fault tolerance is\n      inadequate. To close this recommendation, the USMS needs to\n      provide the OIG evidence that policies and procedures are\n      implemented to ensure all stable runner router configuration files are\n      archived.\n\n13.   Resolved. The USMS agreed with the need to remove system\n      software that is not required. To close this recommendation, the\n      USMS needs to provide the OIG evidence once the Justice\n      Consolidated Office Network (JCON) deployment has been performed\n\n\n                                    - 59 -\n\x0c      showing the removal of any software not required for business-related\n      functions.\n\n14.   Resolved. The USMS agreed with the need to develop policies and\n      procedures for virus and intrusion detection. To close this\n      recommendation, the USMS needs to provide the OIG the policies and\n      procedures developed to ensure the installation and use of virus\n      detection software and intrusion detection software. In addition,\n      please provide evidence that IT personnel are receiving training to use\n      the software properly.\n\n15.   Resolved. The USMS agreed with the need to create a system-\n      warning banner. To close this recommendation, the USMS needs to\n      provide the OIG evidence showing creation of a system-warning\n      banner that was reviewed and approved by the USMS\xe2\x80\x99s Office of\n      General Counsel (OGC).\n\n16.   Resolved. The USMS agreed with the need to develop and implement\n      policies and procedures for securing Cisco routers. To close this\n      recommendation, the USMS needs to provide the OIG evidence that\n      policies and procedures are developed and implemented.\n\n17.   Resolved. The USMS agreed with the need to establish Rules of\n      Behavior. To close this recommendation, the USMS needs to provide\n      the OIG evidence that the OGC was contacted and the Rules of\n      Behavior finalized to comply with Department guidance.\n\n18.   Resolved. The USMS stated in their response that a Computer\n      Incident Response Plan, including designation of incident response\n      responsibilities, was prepared in October 2002. To close this\n      recommendation, the USMS needs to provide the OIG with a copy of\n      the Computer Incident Response Plan.\n\n19.   Resolved. The USMS concurred with enforcing Department-wide\n      identification and authentication policies. To close this\n      recommendation, the USMS needs to provide the OIG evidence that a\n      process is established to enforce the Department-wide policies and a\n      system administrator is established to ensure accounts do not remain\n      inactive on the system and active accounts are appropriate.\n\n20.   Resolved. The USMS concurred that password controls are\n      inadequate. To close this recommendation, the USMS needs to\n      provide the OIG evidence that the password policies were updated in\n\n\n                                    - 60 -\n\x0c      compliance with Department\xe2\x80\x99s policies. In addition, please provide the\n      OIG evidence that security tools are installed on servers to enforce\n      password restrictions.\n\n21.   Resolved. The USMS agreed to delete accounts that do not require\n      access to a privileged group. To close this recommendation, the USMS\n      needs to provide the OIG evidence that the accounts were deleted.\n\n22.   Resolved. The USMS agreed to establish security standards and\n      settings for running vulnerable services and server configuration. To\n      close this recommendation, the USMS needs to provide the OIG with\n      the security standards and settings that are established.\n\n23.   Resolved. The USMS agreed to review the level of WIN data\n      encryption. To close this recommendation, the USMS needs to provide\n      the OIG evidence of the level of encryption implemented before data is\n      transferred across the network.\n\n24.   Resolved. The USMS agreed to review Cisco router access controls.\n      To close this recommendation, the USMS needs to provide the OIG\n      with the an updated access list for all routers and documentation\n      showing that a 20 minute timeout is set for an unattended console.\n\n25.   Resolved. The USMS agreed to review and incorporate changes to its\n      router configurations. To close this recommendation, the USMS needs\n      to provide the OIG with evidence that procedures include properly\n      configuring TCP intercept mode and logging for specific access lists.\n\n26.   Resolved. The USMS agreed to develop and implement procedures\n      for security patches. To close this recommendation, the USMS needs\n      to provide the OIG evidence that the security patch is obtained from\n      the vendor in a timely manner and tested prior to installation.\n\n27.   Resolved. The USMS agreed to establish, disseminate, and enforce\n      password policies and standards. To close this recommendation, the\n      USMS needs to provide the OIG evidence that the USMS developed,\n      disseminated, and monitors its password policies and standards.\n\n28.   Resolved. The USMS agreed to assign a person to review system logs\n      on a regular basis and transmit system alert when problems arise. To\n      close this recommendation, the USMS needs to provide the OIG with\n      the USMS personnel assigned responsibility for reviewing system logs.\n      In addition, the USMS needs to provide the OIG with the procedures\n\n\n                                   - 61 -\n\x0cimplemented to ensure that system logs messages are reviewed on a\nregular basis and that system alerts are sent when problems arise.\n\n\n\n\n                            - 62 -\n\x0c'